Edit tour

Windows Analysis Report
hesaphareketi-01.exe

Overview

General Information

Sample name:	hesaphareketi-01.exe
Analysis ID:	1482859
MD5:	7ccb3c07bf2918bbcad959e27e17f083
SHA1:	978f8c090da4173cdf2544b38b5e53aa6fc2fab7
SHA256:	e7413d14be16f0ef9d69ab606b79523851edce48ddb94d335388f6ef10bb6388
Tags:	exeRedLineStealer
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Drops PE files with benign system names

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

hesaphareketi-01.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\hesaphareketi-01.exe" MD5: 7CCB3C07BF2918BBCAD959E27E17F083)

svchost.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\hesaphareketi-01.exe" MD5: 7CCB3C07BF2918BBCAD959E27E17F083)

RegSvcs.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\hesaphareketi-01.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

svchost.exe (PID: 7464 cmdline: "C:\Users\user\AppData\Local\directory\svchost.exe" MD5: 7CCB3C07BF2918BBCAD959E27E17F083)

RegSvcs.exe (PID: 7484 cmdline: "C:\Users\user\AppData\Local\directory\svchost.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 7664 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

svchost.exe (PID: 7720 cmdline: "C:\Users\user\AppData\Local\directory\svchost.exe" MD5: 7CCB3C07BF2918BBCAD959E27E17F083)

RegSvcs.exe (PID: 7740 cmdline: "C:\Users\user\AppData\Local\directory\svchost.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

svchost.exe (PID: 7748 cmdline: "C:\Users\user\AppData\Local\directory\svchost.exe" MD5: 7CCB3C07BF2918BBCAD959E27E17F083)

RegSvcs.exe (PID: 7808 cmdline: "C:\Users\user\AppData\Local\directory\svchost.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1533006921.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1533006921.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1525712678.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F4 88 44 24 2B 88 44 24 2F B0 B2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x420f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42163:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x421ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4227f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x422e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4235b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x423f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42481:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41209:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4127b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41305:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41397:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41401:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41473:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41509:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41599:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.1373146693.0000000004050000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F4 88 44 24 2B 88 44 24 2F B0 B2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000005.00000002.1533006921.0000000003019000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3823762351.0000000003188000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.1533006921.0000000002FEF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.3823762351.000000000319F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1505679613.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F4 88 44 24 2B 88 44 24 2F B0 B2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000009.00000002.1529937872.0000000002160000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F4 88 44 24 2B 88 44 24 2F B0 B2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000B.00000002.3823762351.00000000031C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.1389742487.00000000040E0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F4 88 44 24 2B 88 44 24 2F B0 B2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
Process Memory Space: RegSvcs.exe PID: 7484	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7484	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7808	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F4 88 44 24 2B 88 44 24 2F B0 B2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.svchost.exe.2160000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F4 88 44 24 2B 88 44 24 2F B0 B2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.RegSvcs.exe.55c0000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.55c0000.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.55c0000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.55c0000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41209:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4127b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41305:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41397:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41401:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41473:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41509:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41599:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.2b6fda6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.2b6fda6.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.2b6fda6.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.2b6fda6.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x402f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40363:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x403ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4047f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x404e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4055b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x405f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40681:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.2b70c8e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.2b70c8e.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.2b70c8e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.2b70c8e.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f409:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f47b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f505:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f597:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f601:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f673:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f709:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f799:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.2e20000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.2e20000.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.2e20000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.2e20000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x420f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42163:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x421ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4227f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x422e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4235b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x423f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42481:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.2b70c8e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.2b70c8e.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.2b70c8e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.2b70c8e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41209:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4127b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41305:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41397:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41401:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41473:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41509:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41599:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.svchost.exe.3b00000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F4 88 44 24 2B 88 44 24 2F B0 B2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.svchost.exe.4050000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F4 88 44 24 2B 88 44 24 2F B0 B2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.RegSvcs.exe.2e20ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.2e20ee8.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.2e20ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.2e20ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f409:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f47b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f505:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f597:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f601:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f673:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f709:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f799:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.2b6fda6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.2b6fda6.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.2b6fda6.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.2b6fda6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x420f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42163:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x421ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4227f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x422e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4235b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x423f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42481:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.2e20000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.2e20000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.2e20000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.2e20000.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x402f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40363:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x403ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4047f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x404e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4055b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x405f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40681:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.3ff5390.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.3ff5390.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.3ff5390.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.3ff5390.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41209:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4127b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41305:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41397:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41401:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41473:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41509:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41599:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F4 88 44 24 2B 88 44 24 2F B0 B2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
5.2.RegSvcs.exe.55c0000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.55c0000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.55c0000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.55c0000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f409:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f47b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f505:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f597:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f601:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f673:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f709:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f799:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.3ff5390.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.3ff5390.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.3ff5390.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.3ff5390.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f409:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f47b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f505:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f597:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f601:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f673:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f709:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f799:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.2e20ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.2e20ee8.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.2e20ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.2e20ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x41209:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4127b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41305:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41397:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41401:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41473:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41509:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41599:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.svchost.exe.40e0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F4 88 44 24 2B 88 44 24 2F B0 B2 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
Click to see the 49 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\hesaphareketi-01.exe, ProcessId: 7352, TargetFilename: C:\Users\user\AppData\Local\directory\svchost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\Desktop\hesaphareketi-01.exe", CommandLine: "C:\Users\user\Desktop\hesaphareketi-01.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\directory\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\directory\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\directory\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-01.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-01.exe, ParentProcessId: 7352, ParentProcessName: hesaphareketi-01.exe, ProcessCommandLine: "C:\Users\user\Desktop\hesaphareketi-01.exe", ProcessId: 7416, ProcessName: svchost.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs" , ProcessId: 7664, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 78.110.166.82, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7484, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49707

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\hesaphareketi-01.exe", CommandLine: "C:\Users\user\Desktop\hesaphareketi-01.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\directory\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\directory\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\directory\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-01.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-01.exe, ParentProcessId: 7352, ParentProcessName: hesaphareketi-01.exe, ProcessCommandLine: "C:\Users\user\Desktop\hesaphareketi-01.exe", ProcessId: 7416, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs" , ProcessId: 7664, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\hesaphareketi-01.exe", CommandLine: "C:\Users\user\Desktop\hesaphareketi-01.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\directory\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\directory\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\directory\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\hesaphareketi-01.exe", ParentImage: C:\Users\user\Desktop\hesaphareketi-01.exe, ParentProcessId: 7352, ParentProcessName: hesaphareketi-01.exe, ProcessCommandLine: "C:\Users\user\Desktop\hesaphareketi-01.exe", ProcessId: 7416, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\svchost.exe, ProcessId: 7416, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.7

Timestamp:	2024-07-26T09:28:35.751015+0200
SID:	2022930
Source Port:	443
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.7

Timestamp:	2024-07-26T09:29:13.984243+0200
SID:	2022930
Source Port:	443
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}

Multi AV Scanner detection for domain / URL

Source: zqamcx.com	Virustotal: Detection: 8%			Perma Link
Source: http://zqamcx.com	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\directory\svchost.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Virustotal: Detection: 32%			Perma Link

Multi AV Scanner detection for submitted file

Source: hesaphareketi-01.exe	Virustotal: Detection: 32%			Perma Link
Source: hesaphareketi-01.exe	ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hesaphareketi-01.exe

Joe Sandbox ML: detected

Source: hesaphareketi-01.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822876125.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000003.1371136118.0000000004240000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1371411678.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1387646956.0000000004180000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1388311530.0000000004320000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1499632900.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1499281019.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1518337092.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1518775868.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, 00000002.00000003.1371136118.0000000004240000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1371411678.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1387646956.0000000004180000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1388311530.0000000004320000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1499632900.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1499281019.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1518337092.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1518775868.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006BDBBE
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0068C2A2 FindFirstFileExW,	0_2_0068C2A2
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C68EE FindFirstFileW,FindClose,	0_2_006C68EE
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_006C698F
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006BD076
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006BD3A9
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006C9642
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006C979D
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_006C9B2B
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_006C5C97
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0008DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0008DBBE
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0005C2A2 FindFirstFileExW,	2_2_0005C2A2
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000968EE FindFirstFileW,FindClose,	2_2_000968EE
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0009698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_0009698F
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0008D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0008D076
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0008D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0008D3A9
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00099642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00099642
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0009979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0009979D
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00099B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00099B2B
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00095C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00095C97

Source: global traffic

TCP traffic: 192.168.2.7:49707 -> 78.110.166.82:587

Source: Joe Sandbox View

IP Address: 78.110.166.82 78.110.166.82

Source: Joe Sandbox View

ASN Name: UKSERVERS-ASUKDedicatedServersHostingandCo-Location UKSERVERS-ASUKDedicatedServersHostingandCo-Location

Source: global traffic

TCP traffic: 192.168.2.7:49707 -> 78.110.166.82:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006CCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_006CCE44

Source: global traffic

DNS traffic detected: DNS query: zqamcx.com

Source: RegSvcs.exe, 00000005.00000002.1538075158.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1538075158.0000000005713000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1526576845.000000000107E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.0000000005708000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.00000000031A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.00000000056D3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822236725.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.000000000324C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0#
Source: RegSvcs.exe, 00000005.00000002.1538075158.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1538075158.0000000005713000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1526576845.000000000107E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.0000000005708000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.00000000031A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.00000000056D3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822236725.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.000000000324C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: RegSvcs.exe, 00000005.00000002.1538075158.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1538075158.0000000005713000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1526576845.000000000107E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.0000000005708000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.00000000031A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.00000000056D3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822236725.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822236725.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.000000000324C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000005.00000002.1538075158.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1538075158.0000000005713000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1526576845.000000000107E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.0000000005708000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.00000000031A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.00000000056D3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822236725.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822236725.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.000000000324C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RegSvcs.exe, 00000005.00000002.1533006921.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.00000000031A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.000000000324C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zqamcx.com
Source: RegSvcs.exe, 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, O9KGcRw9bkp.cs

.Net Code: KAZ

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_065EE548 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,065EEA60,00000000,00000000

5_2_065EE548

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_006CEAFF

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_006CED6A
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0009ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_0009ED6A

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

0_2_006CEAFF

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_006BAA57

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_006E9576
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000B9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_000B9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.svchost.exe.2160000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.2b6fda6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.2b70c8e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.2b70c8e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.svchost.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.svchost.exe.4050000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.2b6fda6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.3ff5390.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.RegSvcs.exe.55c0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.3ff5390.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.svchost.exe.40e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.1525712678.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.1373146693.0000000004050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.1505679613.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.1529937872.0000000002160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.1389742487.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: hesaphareketi-01.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: hesaphareketi-01.exe, 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2da9eba6-4
Source: hesaphareketi-01.exe, 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_03c35d04-b
Source: hesaphareketi-01.exe, 00000000.00000003.1354465879.0000000003511000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_89bd292d-7
Source: hesaphareketi-01.exe, 00000000.00000003.1354465879.0000000003511000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7351fcc2-d
Source: svchost.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: svchost.exe, 00000002.00000002.1372267975.00000000000E2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_917f9649-1
Source: svchost.exe, 00000002.00000002.1372267975.00000000000E2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d7d4eb80-4
Source: svchost.exe, 00000004.00000000.1371924745.00000000000E2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_01c71469-3
Source: svchost.exe, 00000004.00000000.1371924745.00000000000E2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e0a09421-0
Source: svchost.exe, 00000007.00000000.1485519101.00000000000E2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a5639778-3
Source: svchost.exe, 00000007.00000000.1485519101.00000000000E2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1d747352-b
Source: svchost.exe, 00000009.00000000.1500400862.00000000000E2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c8b1b546-b
Source: svchost.exe, 00000009.00000000.1500400862.00000000000E2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_15bd4966-6
Source: hesaphareketi-01.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d48ff083-1
Source: hesaphareketi-01.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a1a80f0f-d
Source: svchost.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_28172fcc-0
Source: svchost.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ba0941d7-e

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006BD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_006BD5EB

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_006B1201

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_006BE8F6
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0008E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_0008E8F6

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00658060	0_2_00658060
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C2046	0_2_006C2046
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006B8298	0_2_006B8298
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0068E4FF	0_2_0068E4FF
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0068676B	0_2_0068676B
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006E4873	0_2_006E4873
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0065CAF0	0_2_0065CAF0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0067CAA0	0_2_0067CAA0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0066CC39	0_2_0066CC39
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00686DD9	0_2_00686DD9
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0066D07D	0_2_0066D07D
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0066B119	0_2_0066B119
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006591C0	0_2_006591C0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00671394	0_2_00671394
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00671706	0_2_00671706
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0067781B	0_2_0067781B
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0066997D	0_2_0066997D
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00657920	0_2_00657920
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006719B0	0_2_006719B0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00677A4A	0_2_00677A4A
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00671C77	0_2_00671C77
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00677CA7	0_2_00677CA7
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006DBE44	0_2_006DBE44
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00689EEE	0_2_00689EEE
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0065BF40	0_2_0065BF40
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00671F32	0_2_00671F32
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00603640	0_2_00603640
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00092046	2_2_00092046
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00028060	2_2_00028060
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00088298	2_2_00088298
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0005E4FF	2_2_0005E4FF
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0005676B	2_2_0005676B
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000B4873	2_2_000B4873
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0004CAA0	2_2_0004CAA0
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0002CAF0	2_2_0002CAF0
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0003CC39	2_2_0003CC39
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00056DD9	2_2_00056DD9
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0003B119	2_2_0003B119
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000291C0	2_2_000291C0
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00041394	2_2_00041394
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00041706	2_2_00041706
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0004781B	2_2_0004781B
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00027920	2_2_00027920
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0003997D	2_2_0003997D
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000419B0	2_2_000419B0
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00047A4A	2_2_00047A4A
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00041C77	2_2_00041C77
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00047CA7	2_2_00047CA7
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00073CD2	2_2_00073CD2
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000ABE44	2_2_000ABE44
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00059EEE	2_2_00059EEE
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00041F32	2_2_00041F32
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_04043640	2_2_04043640
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 4_2_023C3640	4_2_023C3640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00408C60	5_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040DC11	5_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00407C3F	5_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00418CCC	5_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00406CA0	5_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004028B0	5_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041A4BE	5_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00418244	5_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00401650	5_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402F20	5_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004193C4	5_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00418788	5_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402F89	5_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402B90	5_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004073A0	5_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_02CACF60	5_2_02CACF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_02CACC18	5_2_02CACC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_02CAD830	5_2_02CAD830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_02CA1025	5_2_02CA1025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_02CA1030	5_2_02CA1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_065E43C8	5_2_065E43C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_065E06B8	5_2_065E06B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_065E0040	5_2_065E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_065E7970	5_2_065E7970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06D19F3C	5_2_06D19F3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06D187E0	5_2_06D187E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06D1C7B0	5_2_06D1C7B0
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 7_2_03AF3640	7_2_03AF3640
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 9_2_02153640	9_2_02153640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0113CEA8	11_2_0113CEA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0113DAC0	11_2_0113DAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0113D1F0	11_2_0113D1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01131030	11_2_01131030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_067243B9	11_2_067243B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_067206B8	11_2_067206B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06727570	11_2_06727570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06720040	11_2_06720040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06E79FAC	11_2_06E79FAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06E78850	11_2_06E78850

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: String function: 00659CB3 appears 31 times
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: String function: 00670A30 appears 46 times
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: String function: 0066F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: String function: 00040A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: String function: 0003F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: String function: 00029CB3 appears 31 times

Source: hesaphareketi-01.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.svchost.exe.2160000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.2b6fda6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.2b70c8e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.2b70c8e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.svchost.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.svchost.exe.4050000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.2b6fda6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.3ff5390.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.RegSvcs.exe.55c0000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.3ff5390.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.svchost.exe.40e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.1525712678.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.1373146693.0000000004050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.1505679613.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.1529937872.0000000002160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.1389742487.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, CMa60k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, CMa60k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, CMa60k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, CMa60k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, EgTglEucnUn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, EgTglEucnUn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, MmVR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, MmVR.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@18/14@1/1

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006C37B5 GetLastError,FormatMessageW,

0_2_006C37B5

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006B10BF AdjustTokenPrivileges,CloseHandle,	0_2_006B10BF
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_006B16C3
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000810BF AdjustTokenPrivileges,CloseHandle,	2_2_000810BF
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_000816C3

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006C51CD

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006DA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_006DA67C

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_006C648E

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006542A2

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

File created: C:\Users\user\AppData\Local\directory

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut4B09.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs"

Source: hesaphareketi-01.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hesaphareketi-01.exe	Virustotal: Detection: 32%
Source: hesaphareketi-01.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

File read: C:\Users\user\Desktop\hesaphareketi-01.exe

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: hesaphareketi-01.exe

Static file information: File size 1426944 > 1048576

Source: hesaphareketi-01.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: hesaphareketi-01.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: hesaphareketi-01.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: hesaphareketi-01.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: hesaphareketi-01.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: hesaphareketi-01.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: hesaphareketi-01.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822876125.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000003.1371136118.0000000004240000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1371411678.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1387646956.0000000004180000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1388311530.0000000004320000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1499632900.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1499281019.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1518337092.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1518775868.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, 00000002.00000003.1371136118.0000000004240000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1371411678.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1387646956.0000000004180000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1388311530.0000000004320000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1499632900.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1499281019.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1518337092.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1518775868.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp

Source: hesaphareketi-01.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: hesaphareketi-01.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: hesaphareketi-01.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: hesaphareketi-01.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: hesaphareketi-01.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.RegSvcs.exe.2b70c8e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.RegSvcs.exe.3ff5390.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.RegSvcs.exe.2e20ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006542DE

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00670A76 push ecx; ret	0_2_00670A89
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00040A76 push ecx; ret	2_2_00040A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C40C push cs; iretd	5_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00423149 push eax; ret	5_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C50E push cs; iretd	5_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004231C8 push eax; ret	5_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040E21D push ecx; ret	5_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C6BE push ebx; ret	5_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_02CA47A1 push cs; retf	5_2_02CA47A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_065EDDE7 push A005D2D0h; iretd	5_2_065EDDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_011347A1 push cs; retf	11_2_011347A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0672DDF7 push A00671D0h; iretd	11_2_0672DDFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06E74330 push es; ret	11_2_06E74340

Source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'I2J53GDITwUYJ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.RegSvcs.exe.2b70c8e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'I2J53GDITwUYJ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.RegSvcs.exe.3ff5390.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'I2J53GDITwUYJ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.RegSvcs.exe.2e20ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'I2J53GDITwUYJ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

File created: C:\Users\user\AppData\Local\directory\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

File created: C:\Users\user\AppData\Local\directory\svchost.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs

Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0066F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0066F98E
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_006E1C41
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0003F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_0003F98E
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_000B1C41

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-96367
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\directory\svchost.exe	API/Special instruction interceptor: Address: 4043264
Source: C:\Users\user\AppData\Local\directory\svchost.exe	API/Special instruction interceptor: Address: 23C3264
Source: C:\Users\user\AppData\Local\directory\svchost.exe	API/Special instruction interceptor: Address: 3AF3264
Source: C:\Users\user\AppData\Local\directory\svchost.exe	API/Special instruction interceptor: Address: 2153264

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

5_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 11_2_06728CD7 sldt word ptr [eax]

11_2_06728CD7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2767	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1956	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7898	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	API coverage: 3.7 %
Source: C:\Users\user\AppData\Local\directory\svchost.exe	API coverage: 4.0 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006BDBBE
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0068C2A2 FindFirstFileExW,	0_2_0068C2A2
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C68EE FindFirstFileW,FindClose,	0_2_006C68EE
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_006C698F
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006BD076
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006BD3A9
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006C9642
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006C979D
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_006C9B2B
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_006C5C97
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0008DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0008DBBE
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0005C2A2 FindFirstFileExW,	2_2_0005C2A2
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000968EE FindFirstFileW,FindClose,	2_2_000968EE
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0009698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_0009698F
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0008D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0008D076
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0008D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0008D3A9
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00099642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00099642
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0009979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0009979D
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00099B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00099B2B
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00095C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00095C97

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006542DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99278	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99163	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98715	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98605	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98498	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97075	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96745	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99419	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99873	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99642	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98634	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99450	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98468	Jump to behavior

Source: RegSvcs.exe, 0000000B.00000002.3827449860.00000000056D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: RegSvcs.exe, 00000005.00000002.1538075158.0000000005713000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006CEAA2 BlockInput,

0_2_006CEAA2

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_00682622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00682622

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

5_2_004019F0

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006542DE

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00674CE8 mov eax, dword ptr fs:[00000030h]	0_2_00674CE8
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006034D0 mov eax, dword ptr fs:[00000030h]	0_2_006034D0
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00603530 mov eax, dword ptr fs:[00000030h]	0_2_00603530
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00601E80 mov eax, dword ptr fs:[00000030h]	0_2_00601E80
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00044CE8 mov eax, dword ptr fs:[00000030h]	2_2_00044CE8
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_040434D0 mov eax, dword ptr fs:[00000030h]	2_2_040434D0
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_04043530 mov eax, dword ptr fs:[00000030h]	2_2_04043530
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_04041E80 mov eax, dword ptr fs:[00000030h]	2_2_04041E80
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 4_2_023C3530 mov eax, dword ptr fs:[00000030h]	4_2_023C3530
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 4_2_023C1E80 mov eax, dword ptr fs:[00000030h]	4_2_023C1E80
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 4_2_023C34D0 mov eax, dword ptr fs:[00000030h]	4_2_023C34D0
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 7_2_03AF3530 mov eax, dword ptr fs:[00000030h]	7_2_03AF3530
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 7_2_03AF1E80 mov eax, dword ptr fs:[00000030h]	7_2_03AF1E80
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 7_2_03AF34D0 mov eax, dword ptr fs:[00000030h]	7_2_03AF34D0
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 9_2_02151E80 mov eax, dword ptr fs:[00000030h]	9_2_02151E80
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 9_2_02153530 mov eax, dword ptr fs:[00000030h]	9_2_02153530
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 9_2_021534D0 mov eax, dword ptr fs:[00000030h]	9_2_021534D0

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_006B0B62

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00682622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00682622
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_0067083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0067083F
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006709D5 SetUnhandledExceptionFilter,	0_2_006709D5
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_00670C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00670C21
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00052622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00052622
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_0004083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0004083F
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000409D5 SetUnhandledExceptionFilter,	2_2_000409D5
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_00040C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00040C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004123F1 SetUnhandledExceptionFilter,	5_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CDF008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C11008			Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

0_2_006B1201

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_00692BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00692BA5

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006BB226 SendInput,keybd_event,

0_2_006BB226

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_006D22DA

Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\hesaphareketi-01.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\svchost.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\svchost.exe "C:\Users\user\AppData\Local\directory\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

0_2_006B0B62

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_006B1663

Source: hesaphareketi-01.exe, svchost.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: hesaphareketi-01.exe, svchost.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_00670698 cpuid

0_2_00670698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

5_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_006C8195

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006AD27A GetUserNameW,

0_2_006AD27A

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_0068B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0068B952

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Code function: 0_2_006542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006542DE

Source: C:\Users\user\Desktop\hesaphareketi-01.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b6fda6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b70c8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b70c8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b6fda6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3ff5390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.55c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3ff5390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1533006921.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1533006921.0000000003019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3823762351.0000000003188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1533006921.0000000002FEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3823762351.000000000319F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3823762351.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7808, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b6fda6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b70c8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b70c8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b6fda6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3ff5390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.55c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3ff5390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: svchost.exe	Binary or memory string: WIN_81
Source: svchost.exe	Binary or memory string: WIN_XP
Source: svchost.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: svchost.exe	Binary or memory string: WIN_XPe
Source: svchost.exe	Binary or memory string: WIN_VISTA
Source: svchost.exe	Binary or memory string: WIN_7
Source: svchost.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b6fda6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b70c8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b70c8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b6fda6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3ff5390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.55c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3ff5390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1533006921.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7808, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b6fda6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b70c8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b70c8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b6fda6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3ff5390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.55c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3ff5390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1533006921.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1533006921.0000000003019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3823762351.0000000003188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1533006921.0000000002FEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3823762351.000000000319F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3823762351.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7808, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 5.2.RegSvcs.exe.55c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b6fda6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b70c8e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b70c8e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2b6fda6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3ff5390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.55c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3ff5390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_006D1204
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Code function: 0_2_006D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_006D1806
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_000A1204
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Code function: 2_2_000A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_000A1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	321 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Software Packing	NTDS	148 System Information Discovery	Distributed Component Object Model	321 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	441 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	11 Masquerading	Cached Domain Credentials	231 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	231 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hesaphareketi-01.exe	32%	Virustotal		Browse
hesaphareketi-01.exe	50%	ReversingLabs	Win32.Trojan.Strab
hesaphareketi-01.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\directory\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\directory\svchost.exe	50%	ReversingLabs	Win32.Trojan.Strab
C:\Users\user\AppData\Local\directory\svchost.exe	32%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
zqamcx.com	9%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://account.dyn.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r11.i.lencr.org/0#	0%	Avira URL Cloud	safe
http://zqamcx.com	0%	Avira URL Cloud	safe
http://r11.o.lencr.org0#	0%	Avira URL Cloud	safe
http://zqamcx.com	9%	Virustotal		Browse
http://r11.i.lencr.org/0#	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
zqamcx.com	78.110.166.82	true	true	9%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://zqamcx.com	RegSvcs.exe, 00000005.00000002.1533006921.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.00000000031A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.000000000324C000.00000004.00000800.00020000.00000000.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	RegSvcs.exe, 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r11.o.lencr.org0#	RegSvcs.exe, 00000005.00000002.1538075158.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1538075158.0000000005713000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1526576845.000000000107E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.0000000005708000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.00000000031A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.00000000056D3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822236725.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.000000000324C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r11.i.lencr.org/0#	RegSvcs.exe, 00000005.00000002.1538075158.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1538075158.0000000005713000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1526576845.000000000107E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.0000000005708000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.00000000031A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.00000000056D3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822236725.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.000000000324C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	RegSvcs.exe, 00000005.00000002.1538075158.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1538075158.0000000005713000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1526576845.000000000107E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.0000000005708000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.00000000031A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.00000000056D3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822236725.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822236725.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.000000000324C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegSvcs.exe, 00000005.00000002.1538075158.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1533006921.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1538075158.0000000005713000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1526576845.000000000107E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.0000000005708000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.00000000031A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3827449860.00000000056D3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822236725.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3822236725.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3823762351.000000000324C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.110.166.82	zqamcx.com	United Kingdom		42831	UKSERVERS-ASUKDedicatedServersHostingandCo-Location	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482859
Start date and time:	2024-07-26 09:27:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hesaphareketi-01.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@18/14@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 51 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:28:20	API Interceptor	11030451x Sleep call for process: RegSvcs.exe modified
09:28:20	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
78.110.166.82	COB756883.vbs	Get hash	malicious	CobaltStrike	Browse	windowsupdatesolutions.com/ServerCOB.txt
	Ingreso_SII_Abril_2021.cmd	Get hash	malicious	Unknown	Browse	www.emolcl.com/namaste/puma.php
	Ingreso_SII_Abril_2021.cmd	Get hash	malicious	Unknown	Browse	www.emolcl.com/namaste/puma.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
zqamcx.com	RFQ_SOF_2024_43345.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	78.110.166.82
	IMG_160750_311608.exe	Get hash	malicious	AgentTesla, Clipboard Hijacker, PureLog Stealer	Browse	78.110.166.82
	FATURA.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Request_For_Quote_060624.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	New Inquiry.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Sy3CL61n0uDC55M.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	FaturaBildirim.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UKSERVERS-ASUKDedicatedServersHostingandCo-Location	LisectAVT_2403002A_136.exe	Get hash	malicious	Remcos	Browse	45.128.223.185
	LisectAVT_2403002A_88.exe	Get hash	malicious	Remcos	Browse	45.128.223.185
	LisectAVT_2403002C_7.exe	Get hash	malicious	Remcos	Browse	45.128.223.185
	RFQ_SOF_2024_43345.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	78.110.166.82
	s4WsI8Qcm4.elf	Get hash	malicious	Mirai, Moobot	Browse	78.157.201.108
	IMG_160750_311608.exe	Get hash	malicious	AgentTesla, Clipboard Hijacker, PureLog Stealer	Browse	78.110.166.82
	oTfjRHJdWzffhcnPGd.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	SZwdzMMRBU.elf	Get hash	malicious	Unknown	Browse	78.157.201.103
	FATURA.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	GfU2VYzM9r.elf	Get hash	malicious	Mirai	Browse	94.46.221.213

Process:	C:\Users\user\Desktop\hesaphareketi-01.exe
File Type:	data
Category:	dropped
Size (bytes):	271028
Entropy (8bit):	7.972121533056188
Encrypted:	false
SSDEEP:	6144:KXfOMObGwoMRCqocPWiQo24gg+0MzUpYTjidyVHgahN6:6gbDLocPQovgqMwpAjlvv6
MD5:	A9229F9D21D17C051B3EEA5B89969A07
SHA1:	B3CFCF45E826205AB09BC9055E5DC8F78C041CFF
SHA-256:	3C20F4BD5A87A6956456DD5BD1DDE2585F36ECFF2E0E8476D08C804570CDBE0A
SHA-512:	728208CA648B331B7094DBD64C6A7E571EB3065D6D68DA37E7773ADC53BDDA92D6AAF38CBC5AC8E59D7B268532BF6A451A0CEF706FB7A9DD59A12664A79D680B
Malicious:	false
Reputation:	low
Preview:	EA06..$..C.sJ..1.P.4.n.a7.R.`.....&T............+..D....ab.I..3j.O.....a...%...UZ.V......:........\...4..?..`.y.T..X...I.N....,.X......`.....q<..{3+e.}5.]kr.l.Q?.Dd..CJ.E.4...W6.Iju......A.Rp...r.R..y.J...D@.....f...".2.Lf.N...J...............ZMj.....i..Z..55.....j\.5.HjT...'.R......w.G.Pc....4.M..)_T........4.N.....<S.....I....y...<...SJ...x.........,Yh....R.}d.....K.N...u.....x!..EF.5..>. ...J.S$........].\.~A1.......U..(.0..d...C&.x..........n7i...A..~..R...Mz=....H.c+Sh&.CV...9.v7....?y.?.5..s..o.&e..Rk..^.kR.T.TnE.I..j.....=..&....C.i ............#.s.T.=)...?.s...\......T.=..L.m...nk..k`@..4...T'.L......:.).zqR.kw.._....g.G..K.Gb...EhT.D.-D......g......:a..^9y...#Y..87kD..W._j..h.qz.Sl........p/.aL..p.UW....hT.E..z.g.\|.O!y..g.K.7.(.R...d..;.A.8>....Yu.> ......m.....u...E$.Jt....o(sM..`..O.Z..ss..C".....w.y.J.A.l.3..R...Dh...}......#.Z..._O<.. .....e........%..6;..#e5._:.......v..Z......)3N.....rp...L.....J...N.7ZG.....

C:\Users\user\AppData\Local\Temp\aut4B67.tmp

Download File

Process:	C:\Users\user\Desktop\hesaphareketi-01.exe
File Type:	data
Category:	dropped
Size (bytes):	9768
Entropy (8bit):	7.633561594584427
Encrypted:	false
SSDEEP:	192:Z1RBeYBwiJj/oGSU8lsMkvEfMtf9eTaiP:ZrBrBB3zssMksfMXabP
MD5:	F02D481604F758EBF235BEF743CA83CC
SHA1:	7AF6BD58362953DB03F5E7901FA65A05A96BF2CC
SHA-256:	C9E43F8F52791E353899EA8A7485A8DBEDDDE9CF5222FDD143600AC950282C42
SHA-512:	2BB8A55F53F08F54CE58907E99093290E26044290D36D0536D529056286ED629B0EB8E9F60383B43058F640B99E53085F1FEA57BA13DACAB2EAED09AD6D0288D
Malicious:	false
Reputation:	low
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

C:\Users\user\AppData\Local\Temp\aut50F4.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	271028
Entropy (8bit):	7.972121533056188
Encrypted:	false
SSDEEP:	6144:KXfOMObGwoMRCqocPWiQo24gg+0MzUpYTjidyVHgahN6:6gbDLocPQovgqMwpAjlvv6
MD5:	A9229F9D21D17C051B3EEA5B89969A07
SHA1:	B3CFCF45E826205AB09BC9055E5DC8F78C041CFF
SHA-256:	3C20F4BD5A87A6956456DD5BD1DDE2585F36ECFF2E0E8476D08C804570CDBE0A
SHA-512:	728208CA648B331B7094DBD64C6A7E571EB3065D6D68DA37E7773ADC53BDDA92D6AAF38CBC5AC8E59D7B268532BF6A451A0CEF706FB7A9DD59A12664A79D680B
Malicious:	false
Reputation:	low
Preview:	EA06..$..C.sJ..1.P.4.n.a7.R.`.....&T............+..D....ab.I..3j.O.....a...%...UZ.V......:........\...4..?..`.y.T..X...I.N....,.X......`.....q<..{3+e.}5.]kr.l.Q?.Dd..CJ.E.4...W6.Iju......A.Rp...r.R..y.J...D@.....f...".2.Lf.N...J...............ZMj.....i..Z..55.....j\.5.HjT...'.R......w.G.Pc....4.M..)_T........4.N.....<S.....I....y...<...SJ...x.........,Yh....R.}d.....K.N...u.....x!..EF.5..>. ...J.S$........].\.~A1.......U..(.0..d...C&.x..........n7i...A..~..R...Mz=....H.c+Sh&.CV...9.v7....?y.?.5..s..o.&e..Rk..^.kR.T.TnE.I..j.....=..&....C.i ............#.s.T.=)...?.s...\......T.=..L.m...nk..k`@..4...T'.L......:.).zqR.kw.._....g.G..K.Gb...EhT.D.-D......g......:a..^9y...#Y..87kD..W._j..h.qz.Sl........p/.aL..p.UW....hT.E..z.g.\|.O!y..g.K.7.(.R...d..;.A.8>....Yu.> ......m.....u...E$.Jt....o(sM..`..O.Z..ss..C".....w.y.J.A.l.3..R...Dh...}......#.Z..._O<.. .....e........%..6;..#e5._:.......v..Z......)3N.....rp...L.....J...N.7ZG.....

C:\Users\user\AppData\Local\Temp\aut5143.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	9768
Entropy (8bit):	7.633561594584427
Encrypted:	false
SSDEEP:	192:Z1RBeYBwiJj/oGSU8lsMkvEfMtf9eTaiP:ZrBrBB3zssMksfMXabP
MD5:	F02D481604F758EBF235BEF743CA83CC
SHA1:	7AF6BD58362953DB03F5E7901FA65A05A96BF2CC
SHA-256:	C9E43F8F52791E353899EA8A7485A8DBEDDDE9CF5222FDD143600AC950282C42
SHA-512:	2BB8A55F53F08F54CE58907E99093290E26044290D36D0536D529056286ED629B0EB8E9F60383B43058F640B99E53085F1FEA57BA13DACAB2EAED09AD6D0288D
Malicious:	false
Reputation:	low
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

C:\Users\user\AppData\Local\Temp\aut5634.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	271028
Entropy (8bit):	7.972121533056188
Encrypted:	false
SSDEEP:	6144:KXfOMObGwoMRCqocPWiQo24gg+0MzUpYTjidyVHgahN6:6gbDLocPQovgqMwpAjlvv6
MD5:	A9229F9D21D17C051B3EEA5B89969A07
SHA1:	B3CFCF45E826205AB09BC9055E5DC8F78C041CFF
SHA-256:	3C20F4BD5A87A6956456DD5BD1DDE2585F36ECFF2E0E8476D08C804570CDBE0A
SHA-512:	728208CA648B331B7094DBD64C6A7E571EB3065D6D68DA37E7773ADC53BDDA92D6AAF38CBC5AC8E59D7B268532BF6A451A0CEF706FB7A9DD59A12664A79D680B
Malicious:	false
Reputation:	low
Preview:	EA06..$..C.sJ..1.P.4.n.a7.R.`.....&T............+..D....ab.I..3j.O.....a...%...UZ.V......:........\...4..?..`.y.T..X...I.N....,.X......`.....q<..{3+e.}5.]kr.l.Q?.Dd..CJ.E.4...W6.Iju......A.Rp...r.R..y.J...D@.....f...".2.Lf.N...J...............ZMj.....i..Z..55.....j\.5.HjT...'.R......w.G.Pc....4.M..)_T........4.N.....<S.....I....y...<...SJ...x.........,Yh....R.}d.....K.N...u.....x!..EF.5..>. ...J.S$........].\.~A1.......U..(.0..d...C&.x..........n7i...A..~..R...Mz=....H.c+Sh&.CV...9.v7....?y.?.5..s..o.&e..Rk..^.kR.T.TnE.I..j.....=..&....C.i ............#.s.T.=)...?.s...\......T.=..L.m...nk..k`@..4...T'.L......:.).zqR.kw.._....g.G..K.Gb...EhT.D.-D......g......:a..^9y...#Y..87kD..W._j..h.qz.Sl........p/.aL..p.UW....hT.E..z.g.\|.O!y..g.K.7.(.R...d..;.A.8>....Yu.> ......m.....u...E$.Jt....o(sM..`..O.Z..ss..C".....w.y.J.A.l.3..R...Dh...}......#.Z..._O<.. .....e........%..6;..#e5._:.......v..Z......)3N.....rp...L.....J...N.7ZG.....

C:\Users\user\AppData\Local\Temp\aut5683.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	9768
Entropy (8bit):	7.633561594584427
Encrypted:	false
SSDEEP:	192:Z1RBeYBwiJj/oGSU8lsMkvEfMtf9eTaiP:ZrBrBB3zssMksfMXabP
MD5:	F02D481604F758EBF235BEF743CA83CC
SHA1:	7AF6BD58362953DB03F5E7901FA65A05A96BF2CC
SHA-256:	C9E43F8F52791E353899EA8A7485A8DBEDDDE9CF5222FDD143600AC950282C42
SHA-512:	2BB8A55F53F08F54CE58907E99093290E26044290D36D0536D529056286ED629B0EB8E9F60383B43058F640B99E53085F1FEA57BA13DACAB2EAED09AD6D0288D
Malicious:	false
Reputation:	low
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

C:\Users\user\AppData\Local\Temp\aut82B3.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	271028
Entropy (8bit):	7.972121533056188
Encrypted:	false
SSDEEP:	6144:KXfOMObGwoMRCqocPWiQo24gg+0MzUpYTjidyVHgahN6:6gbDLocPQovgqMwpAjlvv6
MD5:	A9229F9D21D17C051B3EEA5B89969A07
SHA1:	B3CFCF45E826205AB09BC9055E5DC8F78C041CFF
SHA-256:	3C20F4BD5A87A6956456DD5BD1DDE2585F36ECFF2E0E8476D08C804570CDBE0A
SHA-512:	728208CA648B331B7094DBD64C6A7E571EB3065D6D68DA37E7773ADC53BDDA92D6AAF38CBC5AC8E59D7B268532BF6A451A0CEF706FB7A9DD59A12664A79D680B
Malicious:	false
Preview:	EA06..$..C.sJ..1.P.4.n.a7.R.`.....&T............+..D....ab.I..3j.O.....a...%...UZ.V......:........\...4..?..`.y.T..X...I.N....,.X......`.....q<..{3+e.}5.]kr.l.Q?.Dd..CJ.E.4...W6.Iju......A.Rp...r.R..y.J...D@.....f...".2.Lf.N...J...............ZMj.....i..Z..55.....j\.5.HjT...'.R......w.G.Pc....4.M..)_T........4.N.....<S.....I....y...<...SJ...x.........,Yh....R.}d.....K.N...u.....x!..EF.5..>. ...J.S$........].\.~A1.......U..(.0..d...C&.x..........n7i...A..~..R...Mz=....H.c+Sh&.CV...9.v7....?y.?.5..s..o.&e..Rk..^.kR.T.TnE.I..j.....=..&....C.i ............#.s.T.=)...?.s...\......T.=..L.m...nk..k`@..4...T'.L......:.).zqR.kw.._....g.G..K.Gb...EhT.D.-D......g......:a..^9y...#Y..87kD..W._j..h.qz.Sl........p/.aL..p.UW....hT.E..z.g.\|.O!y..g.K.7.(.R...d..;.A.8>....Yu.> ......m.....u...E$.Jt....o(sM..`..O.Z..ss..C".....w.y.J.A.l.3..R...Dh...}......#.Z..._O<.. .....e........%..6;..#e5._:.......v..Z......)3N.....rp...L.....J...N.7ZG.....

C:\Users\user\AppData\Local\Temp\aut82F2.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	9768
Entropy (8bit):	7.633561594584427
Encrypted:	false
SSDEEP:	192:Z1RBeYBwiJj/oGSU8lsMkvEfMtf9eTaiP:ZrBrBB3zssMksfMXabP
MD5:	F02D481604F758EBF235BEF743CA83CC
SHA1:	7AF6BD58362953DB03F5E7901FA65A05A96BF2CC
SHA-256:	C9E43F8F52791E353899EA8A7485A8DBEDDDE9CF5222FDD143600AC950282C42
SHA-512:	2BB8A55F53F08F54CE58907E99093290E26044290D36D0536D529056286ED629B0EB8E9F60383B43058F640B99E53085F1FEA57BA13DACAB2EAED09AD6D0288D
Malicious:	false
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

C:\Users\user\AppData\Local\Temp\aut886F.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	271028
Entropy (8bit):	7.972121533056188
Encrypted:	false
SSDEEP:	6144:KXfOMObGwoMRCqocPWiQo24gg+0MzUpYTjidyVHgahN6:6gbDLocPQovgqMwpAjlvv6
MD5:	A9229F9D21D17C051B3EEA5B89969A07
SHA1:	B3CFCF45E826205AB09BC9055E5DC8F78C041CFF
SHA-256:	3C20F4BD5A87A6956456DD5BD1DDE2585F36ECFF2E0E8476D08C804570CDBE0A
SHA-512:	728208CA648B331B7094DBD64C6A7E571EB3065D6D68DA37E7773ADC53BDDA92D6AAF38CBC5AC8E59D7B268532BF6A451A0CEF706FB7A9DD59A12664A79D680B
Malicious:	false
Preview:	EA06..$..C.sJ..1.P.4.n.a7.R.`.....&T............+..D....ab.I..3j.O.....a...%...UZ.V......:........\...4..?..`.y.T..X...I.N....,.X......`.....q<..{3+e.}5.]kr.l.Q?.Dd..CJ.E.4...W6.Iju......A.Rp...r.R..y.J...D@.....f...".2.Lf.N...J...............ZMj.....i..Z..55.....j\.5.HjT...'.R......w.G.Pc....4.M..)_T........4.N.....<S.....I....y...<...SJ...x.........,Yh....R.}d.....K.N...u.....x!..EF.5..>. ...J.S$........].\.~A1.......U..(.0..d...C&.x..........n7i...A..~..R...Mz=....H.c+Sh&.CV...9.v7....?y.?.5..s..o.&e..Rk..^.kR.T.TnE.I..j.....=..&....C.i ............#.s.T.=)...?.s...\......T.=..L.m...nk..k`@..4...T'.L......:.).zqR.kw.._....g.G..K.Gb...EhT.D.-D......g......:a..^9y...#Y..87kD..W._j..h.qz.Sl........p/.aL..p.UW....hT.E..z.g.\|.O!y..g.K.7.(.R...d..;.A.8>....Yu.> ......m.....u...E$.Jt....o(sM..`..O.Z..ss..C".....w.y.J.A.l.3..R...Dh...}......#.Z..._O<.. .....e........%..6;..#e5._:.......v..Z......)3N.....rp...L.....J...N.7ZG.....

C:\Users\user\AppData\Local\Temp\aut89E7.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	9768
Entropy (8bit):	7.633561594584427
Encrypted:	false
SSDEEP:	192:Z1RBeYBwiJj/oGSU8lsMkvEfMtf9eTaiP:ZrBrBB3zssMksfMXabP
MD5:	F02D481604F758EBF235BEF743CA83CC
SHA1:	7AF6BD58362953DB03F5E7901FA65A05A96BF2CC
SHA-256:	C9E43F8F52791E353899EA8A7485A8DBEDDDE9CF5222FDD143600AC950282C42
SHA-512:	2BB8A55F53F08F54CE58907E99093290E26044290D36D0536D529056286ED629B0EB8E9F60383B43058F640B99E53085F1FEA57BA13DACAB2EAED09AD6D0288D
Malicious:	false
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

C:\Users\user\AppData\Local\Temp\nonsubmerged

Download File

Process:	C:\Users\user\Desktop\hesaphareketi-01.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	modified
Size (bytes):	28674
Entropy (8bit):	3.584062032869899
Encrypted:	false
SSDEEP:	768:Jx7TYScFCo3T3iCyv/3bntWUl+nU+nokU/WsX2HzZmL5sCWi:zTYScFCo3T3izv/3bntWUl+nU+nokU/3
MD5:	5E6859127C5512B93D242E69968504F2
SHA1:	60F72690BCFB2D2D0ABCAB606B7DC6DF16976F26
SHA-256:	02719B524B7AD3A5EE7D5812B3165CBDCCE3F33463F75FD4282074549914B443
SHA-512:	77DA1BA3121320240112CCC3C1A56535E010BC59113F19DA9655074D7A32798644EF6F432F8445CAB5D56D59C3FDC949B17C2BCEE229542910634F1A778917B3
Malicious:	false
Preview:	3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

C:\Users\user\AppData\Local\Temp\ophiolatrous

Download File

Process:	C:\Users\user\Desktop\hesaphareketi-01.exe
File Type:	data
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	7.897606562107969
Encrypted:	false
SSDEEP:	6144:p+Iau1x7/hNejrv53SVriRuBCR536CbnAoSPOz:EIaW7/hWv6rVCT9nAFmz
MD5:	53CB22F6455800A3BA89DAD4E91D8AB7
SHA1:	7C15E05820248E34C0F339ADF7FD4D0065CDA14E
SHA-256:	C3BF329A7A6D009DDE75BFDEE126473A9E498CE8246C7196717465CC90D243EA
SHA-512:	50B93D0292C5CA0D4BB976CBCB1713D0D4BCCEB5EB0DE5B9487A826CCB018082729C3C3CF87FA634699E7E03EE2F8CFDD977D774248FFDAF11F37B2C066A3B14
Malicious:	false
Preview:	z..4U5R1VBAH.07.K4V5R1R.AH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L0.TK4X.?R.H...1{.j`>\!."0./@-].7Z8Z&.0'a:G".^:kp.fr\=&$f?A:.TK4V5R1:R.e.=.Ix:.(.#.,pb7LsA.*@..Ky@.<m9.2lF.5.u[,-#.?z.%N.%.Jd.)O.3.6`%S_x:.(5R1RBAH2L07TK4V5:..'AH2L`rTKxW1RE.B.H2L07TK4.5q0YCHH2.17T.6V5R1Rm.H2L 7TK.W5R1.BAX2L05TK1V5R1RBAM2L07TK4VEV1RFAH.w27VK4.5R!RBQH2L0'TK$V5R1RBQH2L07TK4V5R.G@A.2L074I4V6P1RBAH2L07TK4V5R1RBAH2L07T..W5N1RBAH2L07TK4V5R1RBAH2L07TK4.8P1.BAH2L07TK4V5.0R.@H2L07TK4V5R1RBAH2L07TK4V5R.&'9<2L0/.J4V%R1R.@H2H07TK4V5R1RBAH2l074eF2T&PRB.%2L0.UK485R1.CAH2L07TK4V5R1.BA..(QC5K4V.b1RBaJ2L&7TK>T5R1RBAH2L07TKtV5.. 13+2L07WI4VUP1RFCH2l27TK4V5R1RBAH2.07.K4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RBAH2L07TK4V5R1RB

C:\Users\user\AppData\Local\directory\svchost.exe

Download File

Process:	C:\Users\user\Desktop\hesaphareketi-01.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1426944
Entropy (8bit):	6.829592279872502
Encrypted:	false
SSDEEP:	24576:1qDEvCTbMWu7rQYlBQcBiT6rprG8aGM8k0V0F0t0Kta4Plh3:1TvC/MTQYxsWR7aGM8Nt0aXd
MD5:	7CCB3C07BF2918BBCAD959E27E17F083
SHA1:	978F8C090DA4173CDF2544B38B5E53AA6FC2FAB7
SHA-256:	E7413D14BE16F0EF9D69AB606B79523851EDCE48DDB94D335388F6EF10BB6388
SHA-512:	22D2552EB839A9643CD939ACF70501B91A933B44C29FDA7CCFC1BF5C3B1DA44229E87DCA3177424C23D30B61F76CEAD0DCD2C25BCED77CC141A5EBD6F29C56CC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 32%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...}.f..........".................w.............@.......................... ............@...@.......@.....................d...\|....@..D[.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...D[...@...\..................@..@.reloc...u.......v...P..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	282
Entropy (8bit):	3.437698893198017
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclMMlW8g1UEZ+lX1Al1AX66AnriIM8lfQVn:DsO+vNlMkXg1Q1A1XmA2n
MD5:	3E75EF1E90D835BDAB3F3E041F6034A6
SHA1:	13796973D29CB3698B652246951DB9A1F289D6D7
SHA-256:	6915EBB0F1B6877CA9563CAF5B99057049869CDD7E86906DFAE4F848FD3F7CE0
SHA-512:	78A4982BFC1319F632A435055B269B00232AD419F4C3E8B975A533BC1B60746925514EB019048130559D9C63028B9DB904FDC9447EF38A5719040AE774C98F21
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.s.v.c.h.o.s.t...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.829592279872502
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hesaphareketi-01.exe
File size:	1'426'944 bytes
MD5:	7ccb3c07bf2918bbcad959e27e17f083
SHA1:	978f8c090da4173cdf2544b38b5e53aa6fc2fab7
SHA256:	e7413d14be16f0ef9d69ab606b79523851edce48ddb94d335388f6ef10bb6388
SHA512:	22d2552eb839a9643cd939acf70501b91a933b44c29fda7ccfc1bf5c3b1da44229e87dca3177424c23d30b61f76cead0dcd2c25bced77cc141a5ebd6f29c56cc
SSDEEP:	24576:1qDEvCTbMWu7rQYlBQcBiT6rprG8aGM8k0V0F0t0Kta4Plh3:1TvC/MTQYxsWR7aGM8Nt0aXd
TLSH:	6265C0033381D066FF9B92334B6AE6554B7C6D2A4133B91F139C397ABA70172163E663
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	98e2a3b29b9ba181

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A2EA7D [Fri Jul 26 00:14:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F82707D5663h
jmp 00007F82707D4F6Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F82707D514Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F82707D511Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F82707D7D0Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F82707D7D58h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F82707D7D41h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x85b44	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15a000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x85b44	0x85c00	d68db13276159e121ce8bb6774bf1ca6	False	0.6537364924065421	data	6.625245820154727	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15a000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd46a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd47d0	0x33428	Device independent bitmap graphic, 198 x 512 x 32, image size 202752, resolution 7874 x 7874 px/m	English	Great Britain	0.13495903981710802
RT_MENU	0x107bf8	0x50	data	English	Great Britain	0.9
RT_STRING	0x107c48	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0x1081dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0x108868	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0x108cf8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0x1092f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0x109950	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0x109db8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0x109f10	0x4f716	data			1.000325754921665
RT_GROUP_ICON	0x159628	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x15963c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x159650	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x159664	0x14	data	English	Great Britain	1.25
RT_VERSION	0x159678	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x159754	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T09:28:35.751015+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49709	20.114.59.183	192.168.2.7
2024-07-26T09:29:13.984243+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49716	20.114.59.183	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 09:28:22.326683998 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:22.332300901 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:22.332410097 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:23.064399958 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:23.065337896 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:23.070302963 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:23.232450962 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:23.235796928 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:23.241972923 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:23.408287048 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:23.419652939 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:23.425196886 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:23.594178915 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:23.594234943 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:23.594245911 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:23.594378948 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:23.644068956 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:23.648889065 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:23.815005064 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:23.832745075 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:23.837789059 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:24.001095057 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:24.002338886 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:24.007359982 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:24.173393965 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:24.174701929 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:24.183026075 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:24.652523041 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:24.652853012 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:24.658832073 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:24.835227966 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:24.835635900 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:24.848756075 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:25.026390076 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:25.026649952 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:25.031539917 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:25.193887949 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:25.194763899 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:25.194830894 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:25.194854975 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:25.194890022 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:25.199763060 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:25.199775934 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:25.199788094 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:25.199800014 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:25.479321003 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:25.534137964 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:25.671852112 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:25.684897900 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:25.850708008 CEST	587	49707	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:25.864212036 CEST	49707	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:25.865269899 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:25.874227047 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:25.874339104 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:26.456748962 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:26.456896067 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:26.461667061 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:26.638889074 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:26.639131069 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:26.646224022 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:26.814392090 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:26.815232992 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:26.820713043 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:26.995887041 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:26.995912075 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:26.995938063 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:26.996001005 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:26.997891903 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:27.005470037 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:27.171631098 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:27.172945976 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:27.178961039 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:27.344738960 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:27.345050097 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:27.350048065 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:27.515414953 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:27.515711069 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:27.520654917 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:27.694652081 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:27.694977999 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:27.700968027 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:27.865314960 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:27.868724108 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:27.875298977 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:28.069890022 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:28.070120096 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:28.075046062 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:28.240107059 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:28.241499901 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:28.241574049 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:28.241607904 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:28.241658926 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:28.241719007 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:28.241755009 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:28.241795063 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:28.241822004 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:28.241877079 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:28.241877079 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:28.246608019 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:28.246622086 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:28.246634007 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:28.246860027 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:28.247209072 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:28.515594006 CEST	587	49708	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:28.565367937 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:35.977798939 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:35.983103991 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:35.983202934 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:36.382132053 CEST	49708	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:36.545331955 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:36.545618057 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:36.550595045 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:36.711930990 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:36.712272882 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:36.717232943 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:36.885413885 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:36.889549017 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:36.894649029 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:37.066459894 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:37.066503048 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:37.066514969 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:37.066625118 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:37.068392992 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:37.073250055 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:37.235311985 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:37.248517990 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:37.253540993 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:37.414742947 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:37.416074038 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:37.420952082 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:38.604008913 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:38.604367018 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:38.614924908 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:38.614950895 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:38.614965916 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:38.615001917 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:38.615001917 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:38.615024090 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:38.628684998 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:38.783353090 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:38.783828974 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:38.789468050 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:38.961935997 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:38.962605953 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:38.968837976 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:39.140575886 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:39.140847921 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:39.146239042 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:39.307365894 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:39.308281898 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:39.308382034 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:39.308382034 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:39.308478117 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:39.313189030 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:39.313298941 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:39.313309908 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:39.313477993 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:39.748722076 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:39.759049892 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:39.759109974 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:39.801134109 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:39.806114912 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:39.985371113 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:39.988991976 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:39.990001917 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:41.002911091 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:41.052902937 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:41.054137945 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:41.054543018 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:41.054560900 CEST	587	49714	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:41.054606915 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:41.055668116 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:41.055695057 CEST	49714	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:41.055764914 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:41.056694984 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:41.056740999 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:41.637592077 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:41.638025045 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:41.643014908 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:41.808615923 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:41.808943033 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:41.814172983 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:41.983532906 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:41.984235048 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:41.989192009 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:42.167578936 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:42.167598963 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:42.167610884 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:42.167757034 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:42.169497013 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:42.176677942 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:42.345566034 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:42.347265005 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:42.598113060 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:42.598257065 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:42.599334955 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:42.758769989 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:42.759320021 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:42.767287016 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:42.933788061 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:42.934281111 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:42.939779043 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.111854076 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.112170935 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.117052078 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.282543898 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.282812119 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.287714958 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.464205980 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.464545012 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.469433069 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.647098064 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.647692919 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.647799015 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.647799015 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.647830963 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.647880077 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.647911072 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.647967100 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.647995949 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.648021936 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.648056984 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:28:43.652885914 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.652899027 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.652908087 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.652918100 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.652926922 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.652935982 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.652945042 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:43.987673044 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:28:44.034339905 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:30:15.941087008 CEST	49715	587	192.168.2.7	78.110.166.82
Jul 26, 2024 09:30:15.946127892 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:30:16.114233971 CEST	587	49715	78.110.166.82	192.168.2.7
Jul 26, 2024 09:30:16.115233898 CEST	49715	587	192.168.2.7	78.110.166.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 09:28:22.232264042 CEST	51021	53	192.168.2.7	1.1.1.1
Jul 26, 2024 09:28:22.318058968 CEST	53	51021	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 09:28:22.232264042 CEST	192.168.2.7	1.1.1.1	0x2e4b	Standard query (0)	zqamcx.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 09:28:22.318058968 CEST	1.1.1.1	192.168.2.7	0x2e4b	No error (0)	zqamcx.com		78.110.166.82	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 26, 2024 09:28:23.064399958 CEST	587	49707	78.110.166.82	192.168.2.7	220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 08:28:22 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 26, 2024 09:28:23.065337896 CEST	49707	587	192.168.2.7	78.110.166.82	EHLO 783875
Jul 26, 2024 09:28:23.232450962 CEST	587	49707	78.110.166.82	192.168.2.7	250-cphost14.qhoster.net Hello 783875 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 26, 2024 09:28:23.235796928 CEST	49707	587	192.168.2.7	78.110.166.82	STARTTLS
Jul 26, 2024 09:28:23.408287048 CEST	587	49707	78.110.166.82	192.168.2.7	220 TLS go ahead
Jul 26, 2024 09:28:26.456748962 CEST	587	49708	78.110.166.82	192.168.2.7	220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 08:28:26 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 26, 2024 09:28:26.456896067 CEST	49708	587	192.168.2.7	78.110.166.82	EHLO 783875
Jul 26, 2024 09:28:26.638889074 CEST	587	49708	78.110.166.82	192.168.2.7	250-cphost14.qhoster.net Hello 783875 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 26, 2024 09:28:26.639131069 CEST	49708	587	192.168.2.7	78.110.166.82	STARTTLS
Jul 26, 2024 09:28:26.814392090 CEST	587	49708	78.110.166.82	192.168.2.7	220 TLS go ahead
Jul 26, 2024 09:28:36.545331955 CEST	587	49714	78.110.166.82	192.168.2.7	220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 08:28:36 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 26, 2024 09:28:36.545618057 CEST	49714	587	192.168.2.7	78.110.166.82	EHLO 783875
Jul 26, 2024 09:28:36.711930990 CEST	587	49714	78.110.166.82	192.168.2.7	250-cphost14.qhoster.net Hello 783875 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 26, 2024 09:28:36.712272882 CEST	49714	587	192.168.2.7	78.110.166.82	STARTTLS
Jul 26, 2024 09:28:36.885413885 CEST	587	49714	78.110.166.82	192.168.2.7	220 TLS go ahead
Jul 26, 2024 09:28:41.637592077 CEST	587	49715	78.110.166.82	192.168.2.7	220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 08:28:41 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 26, 2024 09:28:41.638025045 CEST	49715	587	192.168.2.7	78.110.166.82	EHLO 783875
Jul 26, 2024 09:28:41.808615923 CEST	587	49715	78.110.166.82	192.168.2.7	250-cphost14.qhoster.net Hello 783875 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 26, 2024 09:28:41.808943033 CEST	49715	587	192.168.2.7	78.110.166.82	STARTTLS
Jul 26, 2024 09:28:41.983532906 CEST	587	49715	78.110.166.82	192.168.2.7	220 TLS go ahead

Target ID:	0
Start time:	03:28:15
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\hesaphareketi-01.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hesaphareketi-01.exe"
Imagebase:	0x650000
File size:	1'426'944 bytes
MD5 hash:	7CCB3C07BF2918BBCAD959E27E17F083
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:28:16
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\directory\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hesaphareketi-01.exe"
Imagebase:	0x20000
File size:	1'426'944 bytes
MD5 hash:	7CCB3C07BF2918BBCAD959E27E17F083
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.1373146693.0000000004050000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs Detection: 32%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:28:18
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\hesaphareketi-01.exe"
Imagebase:	0x240000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:28:18
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\directory\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\svchost.exe"
Imagebase:	0x20000
File size:	1'426'944 bytes
MD5 hash:	7CCB3C07BF2918BBCAD959E27E17F083
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.1389742487.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:28:19
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\svchost.exe"
Imagebase:	0xac0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1533006921.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1533006921.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.1525712678.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.1532837929.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.1530227385.0000000002B2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.1537629794.00000000055C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1533006921.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.1534987989.0000000003FDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1533006921.0000000002FEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:28:30
Start date:	26/07/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs"
Imagebase:	0x7ff7c1a00000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:28:30
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\directory\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\svchost.exe"
Imagebase:	0x20000
File size:	1'426'944 bytes
MD5 hash:	7CCB3C07BF2918BBCAD959E27E17F083
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.1505679613.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:28:32
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\directory\svchost.exe"
Imagebase:	0x170000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:28:32
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\directory\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\svchost.exe"
Imagebase:	0x20000
File size:	1'426'944 bytes
MD5 hash:	7CCB3C07BF2918BBCAD959E27E17F083
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000002.1529937872.0000000002160000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:28:34
Start date:	26/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\svchost.exe"
Imagebase:	0xac0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3823762351.0000000003188000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3823762351.000000000319F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3823762351.00000000031C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	3.1%
Total number of Nodes:	1934
Total number of Limit Nodes:	55

Executed Functions

Function 006542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0065430D

Part of subcall function 00656B57: _wcslen.LIBCMT ref: 00656B6A

GetCurrentProcess.KERNEL32(?,006ECB64,00000000,?,?), ref: 00654422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00654429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00654454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00654466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00654474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0065447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006544A0

Strings

GetNativeSystemInfo, xrefs: 00654460
|O, xrefs: 006936F8
kernel32.dll, xrefs: 0065444F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 78a360105b7f4e953348578ee2cec67ae59cd18518c1da8aa695ce887d434785
Instruction ID: d1229db66bd635ffbc9a381eb4b08ff54e23e51ed6654f6bec55a727f9c94828
Opcode Fuzzy Hash: 78a360105b7f4e953348578ee2cec67ae59cd18518c1da8aa695ce887d434785
Instruction Fuzzy Hash: 35A1917290A3D0CFCB31CB6978841D57FEBBB76305B84D899D44197B23D628464BCB29

Function 006542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,006550AA,?,?,00000000,00000000), ref: 006542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006550AA,?,?,00000000,00000000), ref: 006542C9
LoadResource.KERNEL32(?,00000000,?,?,006550AA,?,?,00000000,00000000,?,?,?,?,?,?,00654F20), ref: 006935BE
SizeofResource.KERNEL32(?,00000000,?,?,006550AA,?,?,00000000,00000000,?,?,?,?,?,?,00654F20), ref: 006935D3
LockResource.KERNEL32(006550AA,?,?,006550AA,?,?,00000000,00000000,?,?,?,?,?,?,00654F20,?), ref: 006935E6

Strings

SCRIPT, xrefs: 006542BF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: fce59e238b42b5a2df6009cf6409ea0874b37e850f5b3004a5a4fff83ede3820
Instruction ID: f9769746bb7edcce0e66cb8646505d8c36efaf626eb467f897af93ce7943ec36
Opcode Fuzzy Hash: fce59e238b42b5a2df6009cf6409ea0874b37e850f5b3004a5a4fff83ede3820
Instruction Fuzzy Hash: 7511AC70200701BFDB218B65DC88F677BBAEFC5B66F1041A9F9028A290DB71D9068620

Function 00692BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00652B6B

Part of subcall function 00653A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00721418,?,00652E7F,?,?,?,00000000), ref: 00653A78

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00712224), ref: 00692C10
ShellExecuteW.SHELL32(00000000,?,?,00712224), ref: 00692C17

Strings

runas, xrefs: 00692C0B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a7760e70622b8b0dff75030ce4f5de69896b17c91d574d7a89678516f2f42c71
Instruction ID: 41900bf2992666ef1c4b79e904dbd03b4992c0c215cca727da251fba4263bf26
Opcode Fuzzy Hash: a7760e70622b8b0dff75030ce4f5de69896b17c91d574d7a89678516f2f42c71
Instruction Fuzzy Hash: 23110A31204396AAC758FF24D8619FE77A7AFA1756F44142CF886021A3DF24964EC716

Function 006BDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00695222), ref: 006BDBCE
GetFileAttributesW.KERNELBASE(?), ref: 006BDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 006BDBEE
FindClose.KERNEL32(00000000), ref: 006BDBFA

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 7c7a436d471d2ab47c8993413a23828cb5d9d5877ac619fd0acc54f8a3afe699
Instruction ID: 536eb0267a568534381475238b03268e265374d4cb72334f6e2c1e5718fc8147
Opcode Fuzzy Hash: 7c7a436d471d2ab47c8993413a23828cb5d9d5877ac619fd0acc54f8a3afe699
Instruction Fuzzy Hash: 7FF0A0B0810A105BC3206B78AC4E8EA3B6E9E01374B104702F936CA2E0FBB05E968695

Function 0065D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0065D807
timeGetTime.WINMM ref: 0065DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0065DB28
TranslateMessage.USER32(?), ref: 0065DB7B
DispatchMessageW.USER32(?), ref: 0065DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0065DB9F
Sleep.KERNEL32(0000000A), ref: 0065DBB1

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 6384eef77cb4479b0e76c396ebcac217eb850e32262ecca3671e4ba2779682e8
Instruction ID: 7977ddb8226260600a7b1aabcae716ddc6900fe612610d7984770880b4ec29b5
Opcode Fuzzy Hash: 6384eef77cb4479b0e76c396ebcac217eb850e32262ecca3671e4ba2779682e8
Instruction Fuzzy Hash: 2A42ED70648342AFD738DB28C894BAAB7A3BF46315F14851DE8568B3D1D770E849CF92

Function 0065344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00653A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00721418,?,00652E7F,?,?,?,00000000), ref: 00653A78

Part of subcall function 00653357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00653379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0065356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0069318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006931CE
RegCloseKey.ADVAPI32(?), ref: 00693210
_wcslen.LIBCMT ref: 00693277
_wcslen.LIBCMT ref: 00693286

Strings

Include, xrefs: 00693184, 006931C5
\Include\, xrefs: 00653527
\, xrefs: 0069328C
Software\AutoIt v3\AutoIt, xrefs: 00653560
<b, xrefs: 006534E2

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: <b$Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-319481290
Opcode ID: 3203bf08da7e580e913d298e386ff778127cf865aecd471bae7b9871fff4844f
Instruction ID: b6f9038dfe77727cd765c739aafd6c1ed179e7780dd37c9cdf6caa18552a8770
Opcode Fuzzy Hash: 3203bf08da7e580e913d298e386ff778127cf865aecd471bae7b9871fff4844f
Instruction Fuzzy Hash: 7071B471404311AEC764DF69DC818ABBBE9FF84750F40482DF94583272EB34DA4ACB69

Function 00652CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00652D07
RegisterClassExW.USER32(00000030), ref: 00652D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00652D42
InitCommonControlsEx.COMCTL32(?), ref: 00652D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00652D6F
LoadIconW.USER32(000000A9), ref: 00652D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00652D94

Strings

+, xrefs: 00652CF0
TaskbarCreated, xrefs: 00652D37
0, xrefs: 00652CE9
AutoIt v3 GUI, xrefs: 00652D23

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: dae08b6424e42e31e8a010173d708220186e22e785f40eeafdd4aa9225f3184e
Instruction ID: 0e892ea2933e2b93f2e2b3f4331e3d69494aac59b8ae1d2ac942cecc70a94ef4
Opcode Fuzzy Hash: dae08b6424e42e31e8a010173d708220186e22e785f40eeafdd4aa9225f3184e
Instruction Fuzzy Hash: BB21F4B1D01388AFDB10DFA4EC89BDDBBB5FB08710F00811AF951AA2A0D7B51582CF95

Function 00688D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.g, xrefs: 0068903A, 00688FD0, 00688FF2

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: .g
API String ID: 0-2054203957
Opcode ID: dd6ad19b5acd9a37f1d01901210e2f833b032564046d301c7589e707ddbf951f
Instruction ID: ba992429c3dc41ef0d86f74d2a6dac98a19d770687ba395b8ba6a272bd925e6d
Opcode Fuzzy Hash: dd6ad19b5acd9a37f1d01901210e2f833b032564046d301c7589e707ddbf951f
Instruction Fuzzy Hash: C2C1C374904249AFDB21EFE8C845BFDBBB2AF09310F18429DE515A7392C7349942CB75

Function 0069065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0069039A: CreateFileW.KERNELBASE(00000000,00000000,?,00690704,?,?,00000000,?,00690704,00000000,0000000C), ref: 006903B7

GetLastError.KERNEL32 ref: 0069076F
__dosmaperr.LIBCMT ref: 00690776
GetFileType.KERNELBASE(00000000), ref: 00690782
GetLastError.KERNEL32 ref: 0069078C
__dosmaperr.LIBCMT ref: 00690795
CloseHandle.KERNEL32(00000000), ref: 006907B5
CloseHandle.KERNEL32(?), ref: 006908FF
GetLastError.KERNEL32 ref: 00690931
__dosmaperr.LIBCMT ref: 00690938

Strings

H, xrefs: 006908BD

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1793a960a0c088c8825cc3fd0a2471f501f1ac3879cb398db04b09a4ea6dc8dd
Instruction ID: 61be8149191f8781fc8cd08766da8d2541b88e9c317c32a72f21fe91be01d7c3
Opcode Fuzzy Hash: 1793a960a0c088c8825cc3fd0a2471f501f1ac3879cb398db04b09a4ea6dc8dd
Instruction Fuzzy Hash: 78A13732A001448FEF19EFA8D891BAE3BA6AB06320F14415DF8159F392DB359D13CB95

Function 00652B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00652B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00652B9D
LoadIconW.USER32(00000063), ref: 00652BB3
LoadIconW.USER32(000000A4), ref: 00652BC5
LoadIconW.USER32(000000A2), ref: 00652BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00652BEF
RegisterClassExW.USER32(?), ref: 00652C40

Part of subcall function 00652CD4: GetSysColorBrush.USER32(0000000F), ref: 00652D07
Part of subcall function 00652CD4: RegisterClassExW.USER32(00000030), ref: 00652D31
Part of subcall function 00652CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00652D42
Part of subcall function 00652CD4: InitCommonControlsEx.COMCTL32(?), ref: 00652D5F
Part of subcall function 00652CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00652D6F
Part of subcall function 00652CD4: LoadIconW.USER32(000000A9), ref: 00652D85
Part of subcall function 00652CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00652D94

Strings

#, xrefs: 00652C16
0, xrefs: 00652C0F
AutoIt v3, xrefs: 00652C2F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 63f634f8345902c878ead149d5ee6251ff4b8c5a76a7bc53d7a86c4faed7a235
Instruction ID: 783d483d010fc9a0bb01303295a4ab1fad87e89fdce480fc40ac6c879138e26d
Opcode Fuzzy Hash: 63f634f8345902c878ead149d5ee6251ff4b8c5a76a7bc53d7a86c4faed7a235
Instruction Fuzzy Hash: 1A212F70E00354ABDB20DFA5EC99A9D7FB6FB5CB50F40802AE500A66A1D7B90542CF98

Function 0065B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0065BB4E

Strings

p#r, xrefs: 0065BA72
x#r, xrefs: 006A0168
p#r, xrefs: 006A024F
p#r, xrefs: 006A0263
x#r, xrefs: 006A0207
p#r, xrefs: 0065BB6B
p%r, xrefs: 0065B8DC
p%r, xrefs: 0065BB32

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#r$p#r$p#r$p#r$p%r$p%r$x#r$x#r
API String ID: 1385522511-3537283183
Opcode ID: c7a2bd5ca755cbaee19cd7548097d09dc4c359b8c9c42790fde85c5326e57882
Instruction ID: 4535fb2b3ead4eecda16b32cec7f3033e232f6e8a6143c6f60d947636fb59c33
Opcode Fuzzy Hash: c7a2bd5ca755cbaee19cd7548097d09dc4c359b8c9c42790fde85c5326e57882
Instruction Fuzzy Hash: 9232AC34A00209AFEB20DF54C894ABEB7BBEF46311F149059ED05AB352C778ED46CB95

Function 00653170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0065316A,?,?), ref: 006531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0065316A,?,?), ref: 00653204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00653227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0065316A,?,?), ref: 00653232
CreatePopupMenu.USER32 ref: 00653246
PostQuitMessage.USER32(00000000), ref: 00653267

Strings

TaskbarCreated, xrefs: 0065322D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b75c35a19e7d592b5cb2c43ebb7d342dc149a7e75c6dda8422b49b17a436be8e
Instruction ID: b2e0193ca8c4c6342d9392ee841b1043713f5ca121fb9add3406ca8af45fa62b
Opcode Fuzzy Hash: b75c35a19e7d592b5cb2c43ebb7d342dc149a7e75c6dda8422b49b17a436be8e
Instruction Fuzzy Hash: E4418A30200660A7DF345B389C59BB93A1FFB01BC2F444129FD0186792CB759B4A8769

Function 0065DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%r, xrefs: 0065E4B1
D%rD%r, xrefs: 0065E27E
D%r, xrefs: 0065E1E0
Variable must be of type 'Object'., xrefs: 006A32B7
D%r, xrefs: 006A2FDA
D%r, xrefs: 006A302D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: D%r$D%r$D%r$D%r$D%rD%r$Variable must be of type 'Object'.
API String ID: 0-2193904104
Opcode ID: d2269dba14cd6548b1af865f0e775a3a5738c68fa81f0df53522b7009e514b9a
Instruction ID: f285ea1f4daf18e3e00c838c25d4ef3a48057208049ffb25b7f016617176d76d
Opcode Fuzzy Hash: d2269dba14cd6548b1af865f0e775a3a5738c68fa81f0df53522b7009e514b9a
Instruction Fuzzy Hash: 4AC29C71E00214DFCF28DF58C880AADB7B2BF09311F248169E955AB391D336EE46CB95

Function 00600920 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00600965

Memory Dump Source

Source File: 00000000.00000002.1359274545.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_hesaphareketi-01.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 739387d873d284b9e0a82bd2f65a46ed206cb3678d14379cb2b2c2373d0c3f3e
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 8751F775A50208FBEF24DFA4CC49FDF7779AF48700F108554FA0AEA2C0DA749A459B60

Function 00652C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00652C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00652CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00651CAD,?), ref: 00652CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00651CAD,?), ref: 00652CCF

Strings

edit, xrefs: 00652CAC
AutoIt v3, xrefs: 00652C89, 00652C8E, 00652C8F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1c20f2be02cdbd0b90e4c4cafd8d5f062fd96cf1cba39e44dba258b83739478a
Instruction ID: 1509880fc33566b40d0e0048bd747752c72185296fb345744600f98fd590af85
Opcode Fuzzy Hash: 1c20f2be02cdbd0b90e4c4cafd8d5f062fd96cf1cba39e44dba258b83739478a
Instruction Fuzzy Hash: E9F030755413D47AEB3047136C58E772E7FE7DAF60F414029F90097561C2790842DA74

Function 006C2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006C2C05
DeleteFileW.KERNEL32(?), ref: 006C2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006C2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006C2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006C2CC0

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 6be0a623fd9ff0849534b887a95c759efb000d87a4f7acee3a6bfda60c340004
Instruction ID: 4ab3bab4b5c458864c7ef19a617d28bbded4d81e3badd815dcef5ed29f817341
Opcode Fuzzy Hash: 6be0a623fd9ff0849534b887a95c759efb000d87a4f7acee3a6bfda60c340004
Instruction Fuzzy Hash: 78B15071D00119ABDF51DBA4CC95EEEB7BEEF48350F1040AEFA09E6141EA319A448F65

Function 00685AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JOe, xrefs: 00685BA8, 00685C6C

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: JOe
API String ID: 0-3363116825
Opcode ID: ddf2f1a9e083bc1839c8c9ee76958112556efd9d69f2a4c412275228236bda8f
Instruction ID: e8ef6f272a6b7b0d9d00f1edd31f41d5a408005c6fc68c5e29d47675ca08c604
Opcode Fuzzy Hash: ddf2f1a9e083bc1839c8c9ee76958112556efd9d69f2a4c412275228236bda8f
Instruction Fuzzy Hash: C151C075D006099FCF21BFA8C845FEEBBBAAF15310F14425EF406A7292D7319A02CB65

Function 006023C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006022B0: Sleep.KERNELBASE(000001F4), ref: 006022C1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 006024F8

Strings

7TK4V5R1RBAH2L0, xrefs: 00602578, 0060257B

Memory Dump Source

Source File: 00000000.00000002.1359274545.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_hesaphareketi-01.jbxd

Similarity

API ID: CreateFileSleep
String ID: 7TK4V5R1RBAH2L0
API String ID: 2694422964-1756953944
Opcode ID: aade71850ed8eb10ac6f16a36d44cd90a50e86393c9e39140f740d34bf16a475
Instruction ID: caed4a0938e82138cf8853cce2ffd95c1c4349e58fc626d8c766a959c4a4b8d9
Opcode Fuzzy Hash: aade71850ed8eb10ac6f16a36d44cd90a50e86393c9e39140f740d34bf16a475
Instruction Fuzzy Hash: CD51A430D04249DBEF15DBA4C868BEFB779AF18300F004199E649BB2C1DB791B45CB69

Function 00653B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00653B0F,SwapMouseButtons,00000004,?), ref: 00653B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00653B0F,SwapMouseButtons,00000004,?), ref: 00653B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00653B0F,SwapMouseButtons,00000004,?), ref: 00653B83

Strings

Control Panel\Mouse, xrefs: 00653B3E

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 907bc2682818df922bd664a387d7361281f9316733459ff2e75c622d38d161f2
Instruction ID: bfe2c28518de5ff4789866d10faaa5e8bd943de483b7927bf5a9c0bc9ebe3a03
Opcode Fuzzy Hash: 907bc2682818df922bd664a387d7361281f9316733459ff2e75c622d38d161f2
Instruction Fuzzy Hash: D6112AB5510228FFDB20CFA5DC84AEEB7B9EF24B95F104459F805D7210D2319F499760

Function 00653923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006933A2

Part of subcall function 00656B57: _wcslen.LIBCMT ref: 00656B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00653A04

Strings

Line: , xrefs: 006933EB

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 7afb4bf88d1cc87138735b64e11f4705e67cc82242a4c30013d730299802f4d8
Instruction ID: 09443a0868a8819de0f64ffd3e2ea0bf9cc63d204c6efb2a44c8ca5606384701
Opcode Fuzzy Hash: 7afb4bf88d1cc87138735b64e11f4705e67cc82242a4c30013d730299802f4d8
Instruction Fuzzy Hash: 633135B1408324AEC720EB10DC45BEB73DAAF50751F00492EF99983291EB74964DC7CA

Function 00652DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00692C8C

Part of subcall function 00653AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00653A97,?,?,00652E7F,?,?,?,00000000), ref: 00653AC2

Part of subcall function 00652DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00652DC4

Strings

`eq, xrefs: 00692C85
X, xrefs: 00692C5A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eq
API String ID: 779396738-2521718294
Opcode ID: 5eea4695bbcb712421c7cf0afe6b0978c6269b011984b357348e6a2486a37af3
Instruction ID: 983a35442e7b49877046eb6310b34380cc1eb036ede0f771b276c1b577e21da1
Opcode Fuzzy Hash: 5eea4695bbcb712421c7cf0afe6b0978c6269b011984b357348e6a2486a37af3
Instruction Fuzzy Hash: D721C671A002989FDF41DF94C8457EE7BFEAF49315F00805DE805AB241DBB8568DCB65

Function 0066FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00670668

Part of subcall function 006732A4: RaiseException.KERNEL32(?,?,?,0067068A,?,00721444,?,?,?,?,?,?,0067068A,00651129,00718738,00651129), ref: 00673304

__CxxThrowException@8.LIBVCRUNTIME ref: 00670685

Strings

Unknown exception, xrefs: 00670692

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 58a3f19f096aaa572128a6c3ad3c80b3992c420e2081a703cd4caf91f9dc6981
Instruction ID: 8899e42144b4caede2df655531f9ac538a49a02422e7d31342e0ec7c05099c52
Opcode Fuzzy Hash: 58a3f19f096aaa572128a6c3ad3c80b3992c420e2081a703cd4caf91f9dc6981
Instruction Fuzzy Hash: 07F0C83490020DB7DB40B764E856CDE7B6F5E40350B60C139B82C956D2EF71EB65C995

Function 00601000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00601045
ExitProcess.KERNEL32(00000000), ref: 00601064

Strings

D, xrefs: 00601011

Memory Dump Source

Source File: 00000000.00000002.1359274545.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_hesaphareketi-01.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
Instruction ID: 1af39b1a28ea060cb7d56afd31c2f78517ed54d1ddfff967316209593b91c159
Opcode Fuzzy Hash: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
Instruction Fuzzy Hash: 95F0ECB154024CABDB64DFE0CC49FEF777DBF04701F108508FA4A9A180EA7896488B65

Function 006C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 006C302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 006C3044

Strings

aut, xrefs: 006C3038

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: fd5bb263c86c3d43ba352f2cb7e762c3734bf42ac641e821c3190bf92ab4ceff
Instruction ID: d1f8903298247c4fbd31c2a061ac8a614f1e6c92bc2c2842731623cd4a6a9fee
Opcode Fuzzy Hash: fd5bb263c86c3d43ba352f2cb7e762c3734bf42ac641e821c3190bf92ab4ceff
Instruction Fuzzy Hash: 7BD05B715003146BDB2097949C4EFC73A6CDB04761F0001517755D60D1DAB49685CAD0

Function 006D7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 006D82F5
TerminateProcess.KERNEL32(00000000), ref: 006D82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 006D84DD

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 03acb813dd439289b8b86dff8def6405f99d5b0c5490b8b516a7df050d76c43a
Instruction ID: bff3243906f2a894c7ad6ce48ae9a6beca7a38520cf16d0dfc6e018383c93b57
Opcode Fuzzy Hash: 03acb813dd439289b8b86dff8def6405f99d5b0c5490b8b516a7df050d76c43a
Instruction Fuzzy Hash: AB125B719083419FC754DF28C484B6ABBE6FF89318F04895EE8998B352DB31ED45CB92

Function 006510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00651BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00651BF4
Part of subcall function 00651BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00651BFC
Part of subcall function 00651BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00651C07
Part of subcall function 00651BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00651C12
Part of subcall function 00651BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00651C1A
Part of subcall function 00651BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00651C22

Part of subcall function 00651B4A: RegisterWindowMessageW.USER32(00000004,?,006512C4), ref: 00651BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0065136A
OleInitialize.OLE32 ref: 00651388
CloseHandle.KERNEL32(00000000,00000000), ref: 006924AB

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: b6bc64086a1183459b1570bf98a9c52f62531e7e0bb1e7c8f8e5622f368e4a7e
Instruction ID: 1d2263b783836e5a4b9491bb4e5b66f266908f8d4b7dfa5e82b79d82a66b772d
Opcode Fuzzy Hash: b6bc64086a1183459b1570bf98a9c52f62531e7e0bb1e7c8f8e5622f368e4a7e
Instruction Fuzzy Hash: 8971CDB48113848EC7A4EF7AA8856553AE2FBA9350794C2BED41AC7361EB384517CF4C

Function 006886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,006885CC,?,00718CC8,0000000C), ref: 00688704
GetLastError.KERNEL32(?,006885CC,?,00718CC8,0000000C), ref: 0068870E
__dosmaperr.LIBCMT ref: 00688739

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: d5c134127179d2cd3cc0bb4cc8ab802801079b77e6987ef06b4afe5ce1718900
Instruction ID: 512f680dffe422c70b9d41c06c27de5eeef2bd5594787abc22dd94d15fa47bce
Opcode Fuzzy Hash: d5c134127179d2cd3cc0bb4cc8ab802801079b77e6987ef06b4afe5ce1718900
Instruction Fuzzy Hash: 0C016632A046602FC6B07334A845BBE275B4B82774F78031DF8198B2D3FEA09CC28394

Function 006C2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,006C2CD4,?,?,?,00000004,00000001), ref: 006C2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006C2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006C3006
CloseHandle.KERNEL32(00000000,?,006C2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006C300D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 0306791570c5209209266630501fbf0ef01385a713569006f08bb30f9bcb4c74
Instruction ID: 344851e8ecba3cbe91bfa5799cdf978f10e63d4d26aabecfe7257b0291e8767a
Opcode Fuzzy Hash: 0306791570c5209209266630501fbf0ef01385a713569006f08bb30f9bcb4c74
Instruction Fuzzy Hash: AAE0863228036077D3301755BC4DFCB3E1DDB86B75F104214FB19791D046A0550246A8

Function 00661310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006617F6

Strings

CALL, xrefs: 006617C6

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: b020c8a4e129ce6bdb5e7640459d62b6ef54bb05aee8d06d06e563d17c46495a
Instruction ID: f4fdb87fb3bf7881a837351de71db10a786f6ef5ee60640852ff05c3874bcec8
Opcode Fuzzy Hash: b020c8a4e129ce6bdb5e7640459d62b6ef54bb05aee8d06d06e563d17c46495a
Instruction Fuzzy Hash: 322279B06082419FC754DF14C480A6ABBF2BF8A314F18895DF4968B362D771ED46CB96

Function 006C6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006C6F6B

Part of subcall function 00654ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00721418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00654EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 006C6F5A, 006C6F63

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: bb89fa481410252c8b242aaaab465179026fe7ebbc46bb86ead4191daff17d6f
Instruction ID: ab55b3584b64bf21f77739fe7252f700c7126361437d523399f28abba2e65870
Opcode Fuzzy Hash: bb89fa481410252c8b242aaaab465179026fe7ebbc46bb86ead4191daff17d6f
Instruction Fuzzy Hash: 7AB15F711082018FCB54EF24C491DAEB7E6EF94315F04895DF896972A2EF30ED49CB96

Function 006C2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 006C2587

Strings

EA06, xrefs: 006C25B9

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 5746ecc4057e9ab88402382d59acf10aaee99685254d25b3055a66d33642a7d3
Instruction ID: 13d6649466aed7869141c4e2cb37111285d71cd570847e9d75a229d36a92bdf4
Opcode Fuzzy Hash: 5746ecc4057e9ab88402382d59acf10aaee99685254d25b3055a66d33642a7d3
Instruction Fuzzy Hash: F901F5729042187EDF58C7A8C816FFEBBF8DB05301F00859EE552D21C1E4B5E6088B60

Function 00653837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00653908

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 7bd57cb03348205f3e7089ad035d8eeef39627dd44c53bb20aa5f964fe7d4c33
Instruction ID: bde5487bc9b110165cd73c1087169afb1ba45195ae026ff73014243caebaca8f
Opcode Fuzzy Hash: 7bd57cb03348205f3e7089ad035d8eeef39627dd44c53bb20aa5f964fe7d4c33
Instruction Fuzzy Hash: D231DDB06043118FD721DF24C8847D7BBEAFB48759F00082EF99A87381E771AA48CB56

Function 00601070 Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 006008E0: GetFileAttributesW.KERNELBASE(?), ref: 006008EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 006011BA

Memory Dump Source

Source File: 00000000.00000002.1359274545.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_hesaphareketi-01.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 2a5ba123f5fa21b30e798de62a15a43cb0eadb21c77589e1f2927046e7453db0
Instruction ID: 729c84eb35cef105655ad220b2f5e73629033dddb99e2d60b150f0440e41a960
Opcode Fuzzy Hash: 2a5ba123f5fa21b30e798de62a15a43cb0eadb21c77589e1f2927046e7453db0
Instruction Fuzzy Hash: F2518631A1020997EF14EFA0C854BEF737AEF58300F004569B609EB2D0EB799B85CB95

Function 00654ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00654E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00654EDD,?,00721418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00654E9C
Part of subcall function 00654E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00654EAE
Part of subcall function 00654E90: FreeLibrary.KERNEL32(00000000,?,?,00654EDD,?,00721418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00654EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00721418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00654EFD

Part of subcall function 00654E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00693CDE,?,00721418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00654E62
Part of subcall function 00654E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00654E74
Part of subcall function 00654E59: FreeLibrary.KERNEL32(00000000,?,?,00693CDE,?,00721418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00654E87

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d9d1cda7a938151f1083f483a2738c2b4ae51f8c81670776975d050b6967737b
Instruction ID: 8cfea4965fd7627bf3c7fd85242d37b6e5836b65d16e051762006636d18ff633
Opcode Fuzzy Hash: d9d1cda7a938151f1083f483a2738c2b4ae51f8c81670776975d050b6967737b
Instruction Fuzzy Hash: 25112731600305ABCF20AB64DC13FED77A79F80716F10846DF942AA2C1DE719A899B58

Function 00688402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00688440

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 34fe8b4899aeca4906800a0d652637d339b80dd1cd2d8cfd07b205ba3f8d7ee6
Instruction ID: 7cb5516d7d9e6bb6c651fa09d866eb454ba8ab5a125e510057c21e358af687ec
Opcode Fuzzy Hash: 34fe8b4899aeca4906800a0d652637d339b80dd1cd2d8cfd07b205ba3f8d7ee6
Instruction Fuzzy Hash: 6B11187690410AAFCF15DF58E9459DA7BF9EF48314F104159FC08AB312DB31DA11CBA5

Function 00685000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00684C7D: RtlAllocateHeap.NTDLL(00000008,00651129,00000000,?,00682E29,00000001,00000364,?,?,?,0067F2DE,00683863,00721444,?,0066FDF5,?), ref: 00684CBE

_free.LIBCMT ref: 0068506C

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: e9001b339ea05cd7597037358b083ecdc6ce5ed09acf64951df07bb0b7c8b5e3
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: D30149722047056BE3319F69D881A9AFBEEFB89370F25071DE185832C0EA30A805C7B4

Function 0067E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: ce59425beb689528b2b3a0803b6e269519891e65598e675e3c1cec6942fc88aa
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D4F02D32510A109AC7313A658C05B96339F9F56331F10875DF429932D2DF75D40687AD

Function 00684C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00651129,00000000,?,00682E29,00000001,00000364,?,?,?,0067F2DE,00683863,00721444,?,0066FDF5,?), ref: 00684CBE

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6f5834232dc2b2d7b7115c9b3cd561a30314433b9d632661b160d27c9b682eb2
Instruction ID: 4e66fade5ec09ac97d8ed61349ee3a4715805f1d0a2b0c1a75379742fcbe8485
Opcode Fuzzy Hash: 6f5834232dc2b2d7b7115c9b3cd561a30314433b9d632661b160d27c9b682eb2
Instruction Fuzzy Hash: A1F0E93160232667DB217F629C09F9A778FBF417B0B148315F819AA381CF30D80147E4

Function 00683820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00721444,?,0066FDF5,?,?,0065A976,00000010,00721440,006513FC,?,006513C6,?,00651129), ref: 00683852

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9d3bfa437fb6d7bac5e435e2f448e5153ee96fcd75765b3ea1cb25a76605aa2a
Instruction ID: e57252ac323efe4cf35a316f952d116ae403dceea70ea8c40a7e0e39a7499a1a
Opcode Fuzzy Hash: 9d3bfa437fb6d7bac5e435e2f448e5153ee96fcd75765b3ea1cb25a76605aa2a
Instruction Fuzzy Hash: C8E0657120123457D73137669C05BDA375BAF42FB0F154225BD19A6791DF21DE0283E5

Function 00654F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00721418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00654F6D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 442beb4ff42ef7294f5461730e2cd43797ef11838acce746a2fac190a9f2742b
Instruction ID: bb447280d2e05777c6d42886680fd2d30f26418ad2caeae4b7c91520adf8f7a6
Opcode Fuzzy Hash: 442beb4ff42ef7294f5461730e2cd43797ef11838acce746a2fac190a9f2742b
Instruction Fuzzy Hash: B9F03071105751CFDB349F68D490892B7F6AF5432E720C9BEE5DA86611CB319888DF10

Function 00652DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00652DC4

Part of subcall function 00656B57: _wcslen.LIBCMT ref: 00656B6A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 3296704a66b7fad363819037c5ec3ece6009363ce7c61283e5975a316511eb8a
Instruction ID: 6f6724d3d812cfaec9662fe2ac5accb29db9f2a77b7f9d2a72e17cea6609aa0b
Opcode Fuzzy Hash: 3296704a66b7fad363819037c5ec3ece6009363ce7c61283e5975a316511eb8a
Instruction Fuzzy Hash: 41E0CD726002245BCB109258DC06FEA77DEDFC9790F044075FD09D7248E970AD84C554

Function 006C2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 006C26B5

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 02cb4efcaa353664c2be7f2520ad7c3600f0239c8e587d1b06971885e3b53e37
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 00E048B06097005FDF395A28A861BF677D5DF49300F04055EF59F82352E5726845865D

Function 00652B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00653837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00653908

Part of subcall function 0065D730: GetInputState.USER32 ref: 0065D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00652B6B

Part of subcall function 006530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0065314E

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 40c999a5cbd766a30b6ab39f99a6c0be70ce32265e7c2d00d27cc90e600a0995
Instruction ID: 7111602fcebae8006b3cee7cbfcc01de4248b4b353fb619188c6b85b8ee6c701
Opcode Fuzzy Hash: 40c999a5cbd766a30b6ab39f99a6c0be70ce32265e7c2d00d27cc90e600a0995
Instruction Fuzzy Hash: E1E0262230039406C648BB30A8524ADA75B9BE1793F80193EF846832A3CE24454E8219

Function 006008E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 006008EB

Memory Dump Source

Source File: 00000000.00000002.1359274545.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_hesaphareketi-01.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 282aa8028cf4e7c9df9b9bca44aee3538158195750fe9f6e36bed966a18e75ae
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 13E0867158920CDFFB18CBB8C8047EA73A9D704310F104754E415C32C1D5308D419654

Function 006008B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 006008BB

Memory Dump Source

Source File: 00000000.00000002.1359274545.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_hesaphareketi-01.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: f84b96147c0435db9053078e8df913696937c29c01332145318b66a5bf700b2b
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 23D05E3094620CABDB10CAA49804ADA73A8AB04320F108755E915932C0D63199409790

Function 0069039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00690704,?,?,00000000,?,00690704,00000000,0000000C), ref: 006903B7

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: aca095a7001605555c303e2941296a5305b67fc124bae2dcb2e608b777a3f51e
Instruction ID: ae6bcf3653203c91a21b78b9659ac26365f5240972e12a901b948c67c24d61c3
Opcode Fuzzy Hash: aca095a7001605555c303e2941296a5305b67fc124bae2dcb2e608b777a3f51e
Instruction Fuzzy Hash: 4ED06C3204024DBBDF028F84DD46EDA3FAAFB48714F014000BE1856020C732E822AB91

Function 00651CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00651CBC

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 47e506b50181b68d6dd6a3dd142f6c81153a22e48075472ce671746b7eb42e2d
Instruction ID: 24ebb36ed78e265add8f37f47326ed41ed5d1524bbe73ca82e3902bbbe7bbae0
Opcode Fuzzy Hash: 47e506b50181b68d6dd6a3dd142f6c81153a22e48075472ce671746b7eb42e2d
Instruction Fuzzy Hash: 8FC09B35280344BFF3248780BC5AF107755B35CB10F54C001F609595E3C3A55432D654

Function 006AD8DD Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(00000104,?), ref: 006AD8E9

Part of subcall function 006533A7: _wcslen.LIBCMT ref: 006533AB

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: PathTemp_wcslen
String ID:
API String ID: 1974555822-0
Opcode ID: 35064154f48615aa9f5a1ddbdac7ec2414822b76c95c0b38b586521033171074
Instruction ID: 2b82ee64c58c57e9ab5cb0587ad42ecc35b0de7d9f96a28b56d8eb61a8efbd70
Opcode Fuzzy Hash: 35064154f48615aa9f5a1ddbdac7ec2414822b76c95c0b38b586521033171074
Instruction Fuzzy Hash: 86C04C7450115A9FDB90A790CCC9AA87726FF00701F104095E60695050DE705B4A8F11

Function 0066FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0066FD1F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 38641d6e29a2008343e65478c55ae8670e334d7146b6c455df2e0090fd07a4d4
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9431E275A00109DBC718CF59E4809AAFBA6FF89300B2486A5E809CF756D731EDC1CBC0

Function 006022AC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 006022C1

Memory Dump Source

Source File: 00000000.00000002.1359274545.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_hesaphareketi-01.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 9d1f4244dc0ad68b2bde533390f0727cf44dc7bf39b5d800e906ca8dfca3ebe6
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 7BE09A7498010EAFDB00EFA4D54969E7BB4EF04301F1005A1FD0596680DA309A548A62

Function 006022B0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 006022C1

Memory Dump Source

Source File: 00000000.00000002.1359274545.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_hesaphareketi-01.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 2acc3c6b541d933732845166f734b176d7d49335cb8f484318bd55d753e99448
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 98E0BF7498010E9FDB00EFA4D54969E7BB4EF04301F1001A1FD0192280D6309A508A62

Non-executed Functions

Function 006E9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00669BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00669BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006E961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006E965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 006E969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006E96C9
SendMessageW.USER32 ref: 006E96F2
GetKeyState.USER32(00000011), ref: 006E978B
GetKeyState.USER32(00000009), ref: 006E9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006E97AE
GetKeyState.USER32(00000010), ref: 006E97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006E97E9
SendMessageW.USER32 ref: 006E9810
SendMessageW.USER32(?,00001030,?,006E7E95), ref: 006E9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006E992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006E9941
SetCapture.USER32(?), ref: 006E994A
ClientToScreen.USER32(?,?), ref: 006E99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006E99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006E99D6
ReleaseCapture.USER32 ref: 006E99E1
GetCursorPos.USER32(?), ref: 006E9A19
ScreenToClient.USER32(?,?), ref: 006E9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 006E9A80
SendMessageW.USER32 ref: 006E9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 006E9AEB
SendMessageW.USER32 ref: 006E9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006E9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 006E9B4A
GetCursorPos.USER32(?), ref: 006E9B68
ScreenToClient.USER32(?,?), ref: 006E9B75
GetParent.USER32(?), ref: 006E9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 006E9BFA
SendMessageW.USER32 ref: 006E9C2B
ClientToScreen.USER32(?,?), ref: 006E9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006E9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 006E9CDE
SendMessageW.USER32 ref: 006E9D01
ClientToScreen.USER32(?,?), ref: 006E9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006E9D82

Part of subcall function 00669944: GetWindowLongW.USER32(?,000000EB), ref: 00669952

GetWindowLongW.USER32(?,000000F0), ref: 006E9E05

Strings

p#r, xrefs: 006E9990
F, xrefs: 006E9D07
@GUI_DRAGID, xrefs: 006E997D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#r
API String ID: 3429851547-1426232733
Opcode ID: 088ff62231dd88897168e2340455309fed83f1472120c805eb0633a6af840eb8
Instruction ID: 59efd8f7bad7d6fd94ea9ab98a92cca95d4942506c068969b08063b1088a1931
Opcode Fuzzy Hash: 088ff62231dd88897168e2340455309fed83f1472120c805eb0633a6af840eb8
Instruction Fuzzy Hash: 05427F34105381AFDB24CF25CC84AAABBF6FF49720F14461AFA99872A1D731AC55CF61

Function 006E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 006E48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 006E4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 006E4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 006E494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 006E495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 006E497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 006E49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 006E49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 006E4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 006E4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 006E4A7E
IsMenu.USER32(?), ref: 006E4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006E4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006E4B20
GetWindowLongW.USER32(?,000000F0), ref: 006E4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 006E4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 006E4C82
wsprintfW.USER32 ref: 006E4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006E4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 006E4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006E4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006E4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 006E4D5A

Strings

%d/%02d/%02d, xrefs: 006E4CA8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 7fd1cbb42ce5c30d6b7ad9495fa65f2b19ccc5ce895c6ddea30b4dd4a8fafce5
Instruction ID: b82878b59713ad524887e61069f2d9a2722be30d2c77e8eefc3b977cc4f54094
Opcode Fuzzy Hash: 7fd1cbb42ce5c30d6b7ad9495fa65f2b19ccc5ce895c6ddea30b4dd4a8fafce5
Instruction Fuzzy Hash: 9E12D071901394ABEB248F39CC49FAF7BBAAF85710F104129F915EB2E1DB749942CB50

Function 0066F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0066F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006AF474
IsIconic.USER32(00000000), ref: 006AF47D
ShowWindow.USER32(00000000,00000009), ref: 006AF48A
SetForegroundWindow.USER32(00000000), ref: 006AF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006AF4AA
GetCurrentThreadId.KERNEL32 ref: 006AF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006AF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 006AF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 006AF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 006AF4DE
SetForegroundWindow.USER32(00000000), ref: 006AF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 006AF4F6
keybd_event.USER32(00000012,00000000), ref: 006AF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 006AF50B
keybd_event.USER32(00000012,00000000), ref: 006AF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 006AF519
keybd_event.USER32(00000012,00000000), ref: 006AF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 006AF528
keybd_event.USER32(00000012,00000000), ref: 006AF52D
SetForegroundWindow.USER32(00000000), ref: 006AF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 006AF557

Strings

Shell_TrayWnd, xrefs: 006AF46F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6e7a55e0a2daabb2dbdf135f40d2ebffafc350b37bfaa3447026c113ef2272cc
Instruction ID: 5a95207ec0424450c97d45a8733002ef173f32789b726257dd0510b2dd7c7af3
Opcode Fuzzy Hash: 6e7a55e0a2daabb2dbdf135f40d2ebffafc350b37bfaa3447026c113ef2272cc
Instruction Fuzzy Hash: 56317271A40358BFEB206BF55C8AFBF7E6EEB45B60F101025FA00EA1D1C6B05D11AE61

Function 006B1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 006B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006B170D
Part of subcall function 006B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006B173A
Part of subcall function 006B16C3: GetLastError.KERNEL32 ref: 006B174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 006B1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 006B12A8
CloseHandle.KERNEL32(?), ref: 006B12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006B12D1
GetProcessWindowStation.USER32 ref: 006B12EA
SetProcessWindowStation.USER32(00000000), ref: 006B12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006B1310

Part of subcall function 006B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006B11FC), ref: 006B10D4
Part of subcall function 006B10BF: CloseHandle.KERNEL32(?,?,006B11FC), ref: 006B10E9

Strings

winsta0, xrefs: 006B12CC
, xrefs: 006B125A
default, xrefs: 006B130B
Zq, xrefs: 006B1392

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zq
API String ID: 22674027-3569899062
Opcode ID: ee12c6000d26148bbe2ad219168b40492b90355a9e1273cb0bf96f4a0c6a63a6
Instruction ID: 10c47d57d301f2c9d1868eddfa755782b8720605b6bcbcf7d603e816121b01d2
Opcode Fuzzy Hash: ee12c6000d26148bbe2ad219168b40492b90355a9e1273cb0bf96f4a0c6a63a6
Instruction Fuzzy Hash: 35819FB1900349BFDF209FA4DC59FEE7BBAEF05714F144129F910AA2A0DB318985CB60

Function 006B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006B1114
Part of subcall function 006B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,006B0B9B,?,?,?), ref: 006B1120
Part of subcall function 006B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006B0B9B,?,?,?), ref: 006B112F
Part of subcall function 006B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006B0B9B,?,?,?), ref: 006B1136
Part of subcall function 006B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006B0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006B0C00
GetLengthSid.ADVAPI32(?), ref: 006B0C17
GetAce.ADVAPI32(?,00000000,?), ref: 006B0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006B0C6D
GetLengthSid.ADVAPI32(?), ref: 006B0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 006B0C8C
HeapAlloc.KERNEL32(00000000), ref: 006B0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 006B0CB4
CopySid.ADVAPI32(00000000), ref: 006B0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006B0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006B0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006B0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006B0D45
HeapFree.KERNEL32(00000000), ref: 006B0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006B0D55
HeapFree.KERNEL32(00000000), ref: 006B0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006B0D65
HeapFree.KERNEL32(00000000), ref: 006B0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 006B0D78
HeapFree.KERNEL32(00000000), ref: 006B0D7F

Part of subcall function 006B1193: GetProcessHeap.KERNEL32(00000008,006B0BB1,?,00000000,?,006B0BB1,?), ref: 006B11A1
Part of subcall function 006B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,006B0BB1,?), ref: 006B11A8
Part of subcall function 006B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,006B0BB1,?), ref: 006B11B7

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9eaa5b684d3aef9a07a0ded936eecb147692a3e49dc007dc08b2a5f441becb1b
Instruction ID: 4703d2f15f0df04b0270b98e7ecda986f9a9cfa727f29f946df02e3d41b34026
Opcode Fuzzy Hash: 9eaa5b684d3aef9a07a0ded936eecb147692a3e49dc007dc08b2a5f441becb1b
Instruction Fuzzy Hash: 8D7150B190020AABEF10DFA4DC84FEFBBBABF05310F144515E915AB291D771A946CB60

Function 006CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(006ECC08), ref: 006CEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 006CEB37
GetClipboardData.USER32(0000000D), ref: 006CEB43
CloseClipboard.USER32 ref: 006CEB4F
GlobalLock.KERNEL32(00000000), ref: 006CEB87
CloseClipboard.USER32 ref: 006CEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 006CEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 006CEBC9
GetClipboardData.USER32(00000001), ref: 006CEBD1
GlobalLock.KERNEL32(00000000), ref: 006CEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 006CEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 006CEC38
GetClipboardData.USER32(0000000F), ref: 006CEC44
GlobalLock.KERNEL32(00000000), ref: 006CEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 006CEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 006CEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 006CECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 006CECF3
CountClipboardFormats.USER32 ref: 006CED14
CloseClipboard.USER32 ref: 006CED59

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 2ad140b4631863960f04f7851859d794337752d120597d5bb19d2e677d673ad4
Instruction ID: a93dabdcf46f52e6363cf72ed7edb501f66ac4bc7a180ccbb268770cd562bf25
Opcode Fuzzy Hash: 2ad140b4631863960f04f7851859d794337752d120597d5bb19d2e677d673ad4
Instruction Fuzzy Hash: 526178342043419FD310EF64D885F7A7BB6EF84724F14551DF8569B2A2DB32E90ACBA2

Function 006C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006C69BE
FindClose.KERNEL32(00000000), ref: 006C6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006C6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006C6A75

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 006C6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 006C6ADF

Strings

%02d, xrefs: 006C6C00, 006C6C0A, 006C6C5A, 006C6CAA, 006C6CFA, 006C6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 006C6B32
%4d%02d%02d%02d%02d%02d, xrefs: 006C6B6A
%03d, xrefs: 006C6DA2
%4d, xrefs: 006C6BB1

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: a194867a16ae46686a410c925fa1bec71d71c1185f40a6a6aff58ecee23d3858
Instruction ID: 55b9269ea117e0849a8885d48441a8a2d6afd6c0bf19c144b52eac8f2a9c33d0
Opcode Fuzzy Hash: a194867a16ae46686a410c925fa1bec71d71c1185f40a6a6aff58ecee23d3858
Instruction Fuzzy Hash: EBD170B1508300AEC354EBA4D881EBBB7EEEF88705F44491DF985C7191EB34DA48CB66

Function 006C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 006C9663
GetFileAttributesW.KERNEL32(?), ref: 006C96A1
SetFileAttributesW.KERNEL32(?,?), ref: 006C96BB
FindNextFileW.KERNEL32(00000000,?), ref: 006C96D3
FindClose.KERNEL32(00000000), ref: 006C96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 006C96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 006C974A
SetCurrentDirectoryW.KERNEL32(00716B7C), ref: 006C9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 006C9772
FindClose.KERNEL32(00000000), ref: 006C977F
FindClose.KERNEL32(00000000), ref: 006C978F

Strings

*.*, xrefs: 006C96F5

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 6dd84bc7b34e203e0f8b44e9061803ff499856138d9200d032b614de3506a1ef
Instruction ID: 49bfabc9e15f468ebc2b8ce540910f13c6c8f9e38c160b7bc91420738b677efc
Opcode Fuzzy Hash: 6dd84bc7b34e203e0f8b44e9061803ff499856138d9200d032b614de3506a1ef
Instruction Fuzzy Hash: 8431CF725412496EDF24AFB9DC4DEEE37AEEF09320F10405AE915E21D0EB74DE818A34

Function 006C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 006C97BE
FindNextFileW.KERNEL32(00000000,?), ref: 006C9819
FindClose.KERNEL32(00000000), ref: 006C9824
FindFirstFileW.KERNEL32(*.*,?), ref: 006C9840
SetCurrentDirectoryW.KERNEL32(?), ref: 006C9890
SetCurrentDirectoryW.KERNEL32(00716B7C), ref: 006C98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 006C98B8
FindClose.KERNEL32(00000000), ref: 006C98C5
FindClose.KERNEL32(00000000), ref: 006C98D5

Part of subcall function 006BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006BDB00

Strings

*.*, xrefs: 006C983B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 48d62071ca1e9d8634956b195195c6a0319034dc68147154a42c9df93d6035a1
Instruction ID: b28cdda6c6fd17f741d3c81bcb38bed650628fba32550e26234ea6eb48fce34b
Opcode Fuzzy Hash: 48d62071ca1e9d8634956b195195c6a0319034dc68147154a42c9df93d6035a1
Instruction Fuzzy Hash: 8E31D3715023596EDB20AFB8DC4DEEE37AEDF06320F204559E914A32D0DB71DE858A34

Function 006C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006C8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 006C8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006C8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006C8310
SetCurrentDirectoryW.KERNEL32(?), ref: 006C8324
SetCurrentDirectoryW.KERNEL32(?), ref: 006C8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006C838C
SetCurrentDirectoryW.KERNEL32(?), ref: 006C8395

Strings

*.*, xrefs: 006C839B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6534f8f761729ac60513560f4b19c8b90419a564b5fc3be458671410c05b4fd8
Instruction ID: 9f8de554f8785479e519110e0226a7bb65d0f7a1debc3a6df7e7fac6783d8159
Opcode Fuzzy Hash: 6534f8f761729ac60513560f4b19c8b90419a564b5fc3be458671410c05b4fd8
Instruction Fuzzy Hash: F6615B715043459FC720DF64C844EAEB3EAFF89310F04891EF98987251EB35E949CB96

Function 006BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00653AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00653A97,?,?,00652E7F,?,?,?,00000000), ref: 00653AC2

Part of subcall function 006BE199: GetFileAttributesW.KERNEL32(?,006BCF95), ref: 006BE19A

FindFirstFileW.KERNEL32(?,?), ref: 006BD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 006BD1DD
MoveFileW.KERNEL32(?,?), ref: 006BD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 006BD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 006BD237

Part of subcall function 006BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,006BD21C,?,?), ref: 006BD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 006BD253
FindClose.KERNEL32(00000000), ref: 006BD264

Strings

\*.*, xrefs: 006BD0CD, 006BD0D6, 006BD0EB

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 697330151f0efe3d94d31adfe339d0f32e81f3d12c2c94ceba358b8c279f0ddc
Instruction ID: f71baf414ff11b25b40ee8e70ff0fb985f2370753fc9948fc39b695f89834eca
Opcode Fuzzy Hash: 697330151f0efe3d94d31adfe339d0f32e81f3d12c2c94ceba358b8c279f0ddc
Instruction Fuzzy Hash: 3E617E7180115DAFCF05EBE0C9929EDB7B6AF15301F204569E9017B292EB319F4DCB64

Function 006CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 006CED91
EmptyClipboard.USER32 ref: 006CED97
GlobalAlloc.KERNEL32(00000002,?), ref: 006CEDAC
CloseClipboard.USER32 ref: 006CEEA3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 60c85a4738b8ad7d053e7529c2434f472d6ecb5e42a3f7bfe4f4d07d0b0bd609
Instruction ID: 8fa5eb18369fb1211ff82e615b655d6c7c2d9a47b8ccf60ef964251866f96789
Opcode Fuzzy Hash: 60c85a4738b8ad7d053e7529c2434f472d6ecb5e42a3f7bfe4f4d07d0b0bd609
Instruction Fuzzy Hash: 82417835204651AFE720DF15D888F6ABBA6EF44369F14809DE8168F762C736ED42CB90

Function 006BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006B170D
Part of subcall function 006B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006B173A
Part of subcall function 006B16C3: GetLastError.KERNEL32 ref: 006B174A

ExitWindowsEx.USER32(?,00000000), ref: 006BE932

Strings

, xrefs: 006BE920
SeShutdownPrivilege, xrefs: 006BE902
, xrefs: 006BE95C
@, xrefs: 006BE925

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 71306ddb1874d260cf3d2894631b550ac3339d5001fdc6735855070a16169f51
Instruction ID: 4ff027316caace608b8ba425add95d6a13447ebb6196ff306ff8a89c9c77493d
Opcode Fuzzy Hash: 71306ddb1874d260cf3d2894631b550ac3339d5001fdc6735855070a16169f51
Instruction Fuzzy Hash: 100126F3610310AFEB6836B49C86FFB729E9714751F140426F913E61D1E5A25DC983A4

Function 006D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006D1276
WSAGetLastError.WSOCK32 ref: 006D1283
bind.WSOCK32(00000000,?,00000010), ref: 006D12BA
WSAGetLastError.WSOCK32 ref: 006D12C5
closesocket.WSOCK32(00000000), ref: 006D12F4
listen.WSOCK32(00000000,00000005), ref: 006D1303
WSAGetLastError.WSOCK32 ref: 006D130D
closesocket.WSOCK32(00000000), ref: 006D133C

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: a24656233d572e2ec8e52870bf86567840ea56e0e8f0e39a3513a17dfdcd3999
Instruction ID: e89b7c5537edd60835c56afe672cc10003f4d17a3159f99a41d890893f48b9ae
Opcode Fuzzy Hash: a24656233d572e2ec8e52870bf86567840ea56e0e8f0e39a3513a17dfdcd3999
Instruction Fuzzy Hash: 8F418231A00240AFD714DF64C5D4B6ABBE7AF46324F188189E8568F396C771ED86CBE1

Function 0068B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0068B9D4
_free.LIBCMT ref: 0068B9F8
_free.LIBCMT ref: 0068BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,006F3700), ref: 0068BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0072121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0068BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00721270,000000FF,?,0000003F,00000000,?), ref: 0068BC36
_free.LIBCMT ref: 0068BD4B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 853c083329c97fcddb6eb556b3fea4caba34f0a7a6324e94516c5b1464d4889a
Instruction ID: c7be90054b39427303fb867064de9c07b3cccff08a84cc4aae9fbf95b0df5e03
Opcode Fuzzy Hash: 853c083329c97fcddb6eb556b3fea4caba34f0a7a6324e94516c5b1464d4889a
Instruction Fuzzy Hash: D3C12771A00205AFCB24BF689C51AEE7BBAEF51310F18639EE494D7351EB309E42C754

Function 006BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00653AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00653A97,?,?,00652E7F,?,?,?,00000000), ref: 00653AC2

Part of subcall function 006BE199: GetFileAttributesW.KERNEL32(?,006BCF95), ref: 006BE19A

FindFirstFileW.KERNEL32(?,?), ref: 006BD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 006BD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 006BD481
FindClose.KERNEL32(00000000), ref: 006BD498
FindClose.KERNEL32(00000000), ref: 006BD4A1

Strings

\*.*, xrefs: 006BD3F2

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 6cad8b4feffb47e5eb90d0350cc58787163e287e5030bcfd585fa1eff5de1c01
Instruction ID: dc667dc028c68def8bd6ba354a136c7d2f141e94a74e0afd909c7c1e6f6b93c2
Opcode Fuzzy Hash: 6cad8b4feffb47e5eb90d0350cc58787163e287e5030bcfd585fa1eff5de1c01
Instruction Fuzzy Hash: 3A317E710083959FC344EF64C8928EFB7EAAE91311F444E2DF8D197291EB20AA4DC767

Function 0068E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0068E645

Strings

1#IND, xrefs: 0068F83D
1#INF, xrefs: 0068F852
1#SNAN, xrefs: 0068F844
1#QNAN, xrefs: 0068F84B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 177db334ae3145682b9ebf4ebcad18cc07e4b821fb13e7911335d145084012e6
Instruction ID: 27d5a4e32f54308f3cd4f757d6b3c8cd924a2e071c75723e3a08637e87a6c2a5
Opcode Fuzzy Hash: 177db334ae3145682b9ebf4ebcad18cc07e4b821fb13e7911335d145084012e6
Instruction Fuzzy Hash: 8EC24C71E086288FDB65DF28DD407EAB7B6EB48305F1442EAD44DE7241E779AE818F40

Function 006C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006C64DC
CoInitialize.OLE32(00000000), ref: 006C6639
CoCreateInstance.OLE32(006EFCF8,00000000,00000001,006EFB68,?), ref: 006C6650
CoUninitialize.OLE32 ref: 006C68D4

Strings

.lnk, xrefs: 006C64BA, 006C6524, 006C65E0

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 94f15b6658be917438926d284b524e10f96667744b521ff09aa50623d4fea9d1
Instruction ID: 2d348d7614715120772a0e06d0dfb01ac75eb8590bcac8f02dad9eb11a1df4d6
Opcode Fuzzy Hash: 94f15b6658be917438926d284b524e10f96667744b521ff09aa50623d4fea9d1
Instruction Fuzzy Hash: ABD13971508301AFC344EF24C881E6BB7EAFF94705F50496DF5958B2A1EB70E909CBA6

Function 006D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 006D22E8

Part of subcall function 006CE4EC: GetWindowRect.USER32(?,?), ref: 006CE504

GetDesktopWindow.USER32 ref: 006D2312
GetWindowRect.USER32(00000000), ref: 006D2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 006D2355
GetCursorPos.USER32(?), ref: 006D2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006D23DF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 18314b4370a5f20aaab16abcf7c83aba9cdbea3b35a8b74e84839083a4dd220f
Instruction ID: 0540872a372c5e941583a274dc6b5f6b664b3f78829af9d3bffa9be5f516d51d
Opcode Fuzzy Hash: 18314b4370a5f20aaab16abcf7c83aba9cdbea3b35a8b74e84839083a4dd220f
Instruction Fuzzy Hash: 7931CF72904356ABCB20DF14C845B9BB7AAFF84310F00091EF9959B281DB35E909CB92

Function 006C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 006C9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 006C9C8B

Part of subcall function 006C3874: GetInputState.USER32 ref: 006C38CB
Part of subcall function 006C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006C3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 006C9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 006C9C75

Strings

*.*, xrefs: 006C9B5D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: cf6574eff1f17a61617cb133a3629bebd393fee126df8b614a02e92c9fb685c6
Instruction ID: 88d17b55f3f099c746cc33fb8cfd41df6c74ac01fa7c0d5d074131a242250371
Opcode Fuzzy Hash: cf6574eff1f17a61617cb133a3629bebd393fee126df8b614a02e92c9fb685c6
Instruction Fuzzy Hash: 0041927190424AAFCF54DF64C889FFE7BB6EF05311F20415AE805A2291EB319E85CF64

Function 0066997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00669BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00669BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00669A4E
GetSysColor.USER32(0000000F), ref: 00669B23
SetBkColor.GDI32(?,00000000), ref: 00669B36

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: e9b50bbe4326d7f5667752593734820e571ccc8e42ed806d3842b9859be07f67
Instruction ID: 0e2ce73aad1cd6b479be46ce91f5b751cf21b421d46b765fd8c5237890ada946
Opcode Fuzzy Hash: e9b50bbe4326d7f5667752593734820e571ccc8e42ed806d3842b9859be07f67
Instruction Fuzzy Hash: 24A10770109554AEE728AA7D8C98EFB26DFEB43310F15421EFD02C6791CA35DD02DA79

Function 006D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006D307A
Part of subcall function 006D304E: _wcslen.LIBCMT ref: 006D309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006D185D
WSAGetLastError.WSOCK32 ref: 006D1884
bind.WSOCK32(00000000,?,00000010), ref: 006D18DB
WSAGetLastError.WSOCK32 ref: 006D18E6
closesocket.WSOCK32(00000000), ref: 006D1915

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 9d1fbb91f3b403fed0d5e883e7b5db7c5ebf8ecb1664e1900ffd42c1c7466011
Instruction ID: f7dbd674a12e0d2b12ddd37a7a83ee105e37bcef9d7574bd65989c45ea1bc69d
Opcode Fuzzy Hash: 9d1fbb91f3b403fed0d5e883e7b5db7c5ebf8ecb1664e1900ffd42c1c7466011
Instruction Fuzzy Hash: 1D51B371A00200AFEB10EF24C896F6A77E6AB85718F04805DF9155F3D3DB71AD42CBA1

Function 006E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006E1CC0
IsWindowEnabled.USER32 ref: 006E1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 006E1CDB
IsIconic.USER32 ref: 006E1CE9
IsZoomed.USER32 ref: 006E1CF7

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3d89432d74221a1af258fad1bef4bb296ebd195477e896ce10cb60a4721d8d7d
Instruction ID: 08f4eaf1dc46fb015fdfa1a6847fd606e49ecfd963246cc752c63b83ae49fd78
Opcode Fuzzy Hash: 3d89432d74221a1af258fad1bef4bb296ebd195477e896ce10cb60a4721d8d7d
Instruction Fuzzy Hash: B521A0317423815FD7208F2BC894B6A7BA7AF86725B289068E846CF351C775EC42DB94

Function 00658060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0065843C
VUUU, xrefs: 006583FA
VUUU, xrefs: 00695DF0
ERCP, xrefs: 0065813C
VUUU, xrefs: 006583E8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: b371f8167a427788988ceb618b3623b999dbd2111a1b058299c5abadbdb82d88
Instruction ID: 1cd3a99ee139774e0dc1ffc4d74cc63b47f33ec5ee11146d655b62495450ba46
Opcode Fuzzy Hash: b371f8167a427788988ceb618b3623b999dbd2111a1b058299c5abadbdb82d88
Instruction Fuzzy Hash: 76A25D70A0061ACFDF25CF58C9407EDB7B6AB54311F2481AAEC16A7B85EB709D85CB90

Function 006B8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006B82AA

Strings

|, xrefs: 006B82DA
(, xrefs: 006B82F0
tbq, xrefs: 006B84F4

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: lstrlen
String ID: ($tbq$|
API String ID: 1659193697-2635483380
Opcode ID: 17e434c372b3ccea460cf0b0fd02637a4f51108dc540f0699433a5123360ba2d
Instruction ID: 9d096e66c2b58dc9f3964d4fb9c31ed6cbeda5f05e2621a2748b83d4b183744d
Opcode Fuzzy Hash: 17e434c372b3ccea460cf0b0fd02637a4f51108dc540f0699433a5123360ba2d
Instruction Fuzzy Hash: 993237B4A00705DFC728CF59C481AAAB7F5FF48710B15856EE49ADB3A1EB70E981CB44

Function 006DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 006DA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 006DA6BA

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

Process32NextW.KERNEL32(00000000,?), ref: 006DA79C
CloseHandle.KERNEL32(00000000), ref: 006DA7AB

Part of subcall function 0066CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00693303,?), ref: 0066CE8A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: dfcd6c046af9ed82f07346f279ac8344265f04e7e3ea45604f5886c8fa4987ec
Instruction ID: f59329998ebc5bfabdfabf0ca594e941a6d7eed7a0280a705dc3e42901c29b9a
Opcode Fuzzy Hash: dfcd6c046af9ed82f07346f279ac8344265f04e7e3ea45604f5886c8fa4987ec
Instruction Fuzzy Hash: 56516F71508300AFD750EF24C886A6BBBE9FF89754F40492DF98597252EB30D908CB96

Function 006BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 006BAAAC
SetKeyboardState.USER32(00000080), ref: 006BAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 006BAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 006BAB88

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7126b430e1dcd00e8aa747781812c715c60624917cf421d10e48bb49b909607a
Instruction ID: 4ff96d3b049d203e29ffcd14205b856c609eb5d022f71476157eda8e4cdc06f8
Opcode Fuzzy Hash: 7126b430e1dcd00e8aa747781812c715c60624917cf421d10e48bb49b909607a
Instruction Fuzzy Hash: 7631F4B0A40258AFFF358BA4CC45BFA7BA7AB44320F04421AF5E1962D1D37589C6C766

Function 006CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 006CCE89
GetLastError.KERNEL32(?,00000000), ref: 006CCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 006CCEFE

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: eca134914956adbdb713d9f46e4158da0500ddd5dcf8b241945b6673a48e8ab7
Instruction ID: cb71f513a4b42d51bdf912eeed5083fb11b063c15da45bff113817f3502c75d9
Opcode Fuzzy Hash: eca134914956adbdb713d9f46e4158da0500ddd5dcf8b241945b6673a48e8ab7
Instruction Fuzzy Hash: DC21BDB19003059FEB20DF65C988FAA7BFAEF05324F10841EE64AD6251E770EE458B94

Function 00682622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0068271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00682724
UnhandledExceptionFilter.KERNEL32(?), ref: 00682731

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2098909cd6a851b71e6290f2de9f0dae9869be6d93f175b44a3f5eb5a69d5f27
Instruction ID: 8f7d06f18663b74097b8c4cc49e0cc060572967e46c060a0542a1f444716a0bc
Opcode Fuzzy Hash: 2098909cd6a851b71e6290f2de9f0dae9869be6d93f175b44a3f5eb5a69d5f27
Instruction Fuzzy Hash: 8E31D574901319ABCB61DF69DC887DCB7B9AF08310F5082EAE40CA7261E7309F818F44

Function 006C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006C51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006C5238
SetErrorMode.KERNEL32(00000000), ref: 006C52A1

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2a1295f96016de5dc4ff277c74006f926b6a18e1e3ba2337bba4cbf9f081c38c
Instruction ID: 070101d5e5b0d253a9597409f3c3b5f62915873e15aed39395c4a0286362ee77
Opcode Fuzzy Hash: 2a1295f96016de5dc4ff277c74006f926b6a18e1e3ba2337bba4cbf9f081c38c
Instruction Fuzzy Hash: 22311A75A00618DFDB00DF54D884EEDBBB6FF49314F048099E805AB3A2DB35E95ACB91

Function 006B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0066FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00670668
Part of subcall function 0066FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00670685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006B170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006B173A
GetLastError.KERNEL32 ref: 006B174A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: ef3790c8f7274fa1709d74ec64a6e87c7b70cedca9671630f0c8cab83c082b85
Instruction ID: 6e84e6f9c5ec9238ea5f0b3827c77fbad46c5892c3f0be01a48cc75534eb3af4
Opcode Fuzzy Hash: ef3790c8f7274fa1709d74ec64a6e87c7b70cedca9671630f0c8cab83c082b85
Instruction Fuzzy Hash: 411191B2404304BFD7189F54ECC6DAAB7BEEF45724B20852EE4565B241EB70BC828B64

Function 006BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006BD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 006BD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006BD650

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: ce4a83e0a1d505f161666bbce8d8a669309a4f1122198f5ace34be8900424c35
Instruction ID: 33024e0127a03066356696cf2d8fc2dc6af0ab67708e79ba4cb17b3c5a9799a9
Opcode Fuzzy Hash: ce4a83e0a1d505f161666bbce8d8a669309a4f1122198f5ace34be8900424c35
Instruction Fuzzy Hash: FC113CB5E05228BFDB108F959C85FEFBFBDEB45B60F108115F904EB290D6704A058BA1

Function 006B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006B168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006B16A1
FreeSid.ADVAPI32(?), ref: 006B16B1

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 158f018aff65d6117e42ebe8de6f79808d880b4b7579e3d78dab0c6bbff49ec3
Instruction ID: 886540065eac6ee693d01b437af317d8179863b37e91da2156d8b18bc089e94e
Opcode Fuzzy Hash: 158f018aff65d6117e42ebe8de6f79808d880b4b7579e3d78dab0c6bbff49ec3
Instruction Fuzzy Hash: 7BF0F471950309FBDB00DFE49C89AAEBBBDEB08614F504565E501E6181E775AA448B50

Function 00674CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006828E9,?,00674CBE,006828E9,007188B8,0000000C,00674E15,006828E9,00000002,00000000,?,006828E9), ref: 00674D09
TerminateProcess.KERNEL32(00000000,?,00674CBE,006828E9,007188B8,0000000C,00674E15,006828E9,00000002,00000000,?,006828E9), ref: 00674D10
ExitProcess.KERNEL32 ref: 00674D22

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ae9e7d59c947b49ff3fc1afb108902cfdff5fd279ed2539a2ac11bc6f60e7b9f
Instruction ID: 2ee145f00dc133f455b4b57a6956f04ab40719a04766007d5578301c8770aa1e
Opcode Fuzzy Hash: ae9e7d59c947b49ff3fc1afb108902cfdff5fd279ed2539a2ac11bc6f60e7b9f
Instruction Fuzzy Hash: 90E0B631000688AFCF21AF54DD5DA983B6BEF41791B118018FC599A222DF35ED52CB84

Function 0068C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0068C36C

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 40738ba2c2509949d15b639a18ae5fb3744008b390ff778bd5ff4536a10f1255
Instruction ID: 92fe6ec02d24755435cc039c192a206fc44acadccb27a5de4dafa6389d50d71e
Opcode Fuzzy Hash: 40738ba2c2509949d15b639a18ae5fb3744008b390ff778bd5ff4536a10f1255
Instruction Fuzzy Hash: 8A412B72500219AFCB20AFB9DC59DFB77BAEB84324F50436DF905D7280E6719E818B64

Function 006AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 006AD28C

Strings

X64, xrefs: 006AD2A8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 80b55a74209bd0ef4e89bb80407576fe98f2afcc69c9e53a7f181e27e2d72937
Instruction ID: 3977a583930fd3b113f8f272b201cbe10647833123f38f30236877e4121e5d69
Opcode Fuzzy Hash: 80b55a74209bd0ef4e89bb80407576fe98f2afcc69c9e53a7f181e27e2d72937
Instruction Fuzzy Hash: 5DD0C9B480111DEACB90DB90DCC8DD9B37DBB04315F100151F506A2040D7309A4A9F10

Function 0067CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 20b7eb41ea83b6f3e7f07b723e583ec9fc42381a10472333490c156cf9628665
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B5020D71E001199FDF24CFA9D8806EDBBF6EF48324F25826DD919E7384D731AA418B94

Function 0065CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#r, xrefs: 0065CF7F
Variable is not of type 'Object'., xrefs: 006A0C40

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#r
API String ID: 0-4023953213
Opcode ID: 1cc356f5fc130c68699480ccdd3ad57c7377c1e9ac3e41bda29a34896227625f
Instruction ID: cdd45f74d555b6b82588ad12cfac7220a55e7b6f86677ee057d30c51f5e307fe
Opcode Fuzzy Hash: 1cc356f5fc130c68699480ccdd3ad57c7377c1e9ac3e41bda29a34896227625f
Instruction Fuzzy Hash: 34328A70900318DFDF14EF94C891AEDB7B6BF05315F148169E806AB392DB75AE4ACB60

Function 006C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006C6918
FindClose.KERNEL32(00000000), ref: 006C6961

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 769e7e3ae6f78f630f490d8ccba629b3f6ae58b87fbde05f0dea7e50262b23fa
Instruction ID: 3d3ac1df0f8400e8a8cc9041d9c86f516222d1372be1e0eaca78958f89f54d91
Opcode Fuzzy Hash: 769e7e3ae6f78f630f490d8ccba629b3f6ae58b87fbde05f0dea7e50262b23fa
Instruction Fuzzy Hash: 00117F716042019FC710DF29D885A26BBE6EF85329F14C69DF8698F3A2D730EC05CB95

Function 006C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,006D4891,?,?,00000035,?), ref: 006C37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,006D4891,?,?,00000035,?), ref: 006C37F4

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ae0cf18e4b9f97d2b739a23565938bd30dece59a3cde219d7efa59283101d5f5
Instruction ID: 0f9403b14d87698003079afb2a8004e2cc5460bf7fc774e2a202ac358bc9b89a
Opcode Fuzzy Hash: ae0cf18e4b9f97d2b739a23565938bd30dece59a3cde219d7efa59283101d5f5
Instruction Fuzzy Hash: 21F0E5B16043296EEB6017668C8DFEB3AAFEFC5771F004169F509D2281D9609905C6F4

Function 006BB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 006BB25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 006BB270

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: ee4c939464d41e1232badbc7858934ebc6939f57c0c457ab2b44f6bc75295b7f
Instruction ID: d1385d7ee949539f291af0ea01de44bea269fd77be468bbedba855c08b640b10
Opcode Fuzzy Hash: ee4c939464d41e1232badbc7858934ebc6939f57c0c457ab2b44f6bc75295b7f
Instruction Fuzzy Hash: 9CF01D7180438DABDF059FA1C805BFE7BB5FF04315F109009F965A9191C3B9C6529F94

Function 006B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006B11FC), ref: 006B10D4
CloseHandle.KERNEL32(?,?,006B11FC), ref: 006B10E9

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d4852201ba4f7add3ca984a1a79d629ab2c306f2f998fd7614e88be30a1cb48d
Instruction ID: 9e39e28502e62c7b261332bcbe0a35d8767073109c1a66978f2fbecf9b7dff08
Opcode Fuzzy Hash: d4852201ba4f7add3ca984a1a79d629ab2c306f2f998fd7614e88be30a1cb48d
Instruction Fuzzy Hash: 4CE04F72014700BEE7252B11FC09EB37BAAEF04320B10882EF4A5844B1DB626C90DB14

Function 0068676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00686766,?,?,00000008,?,?,0068FEFE,00000000), ref: 00686998

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d811b66ee991dd336fbabdad8b7173da56c593afe22a61202bee17939b3bfea0
Instruction ID: 30206c49386aa586b3f5e392a7c16154d8518c78156471123741a11da4b1db52
Opcode Fuzzy Hash: d811b66ee991dd336fbabdad8b7173da56c593afe22a61202bee17939b3bfea0
Instruction Fuzzy Hash: D0B15C71610609DFDB19DF28C48ABA57BE1FF05364F258658F89ACF2A2C735D982CB40

Function 0066B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 006A851F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d2d489fd91223d75a6f777bc909070cd738cd83248bbd0a8e67cd3af04946295
Instruction ID: 446c7e231b348f4a62fe010675a8515942a00c9ec91be5e23ac38e537b512fe2
Opcode Fuzzy Hash: d2d489fd91223d75a6f777bc909070cd738cd83248bbd0a8e67cd3af04946295
Instruction Fuzzy Hash: FF124F71900229DFCB64DF58C8816EEB7F6EF49710F1481AAE849EB255DB349E81CF90

Function 006CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 006CEABD

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: df7fc2f1ceadfb195b8e4d5dcb9d7494ee1a52e1a75c19188b98cc64d0d02187
Instruction ID: 626a13c812b0cc746a76deb742486ea4e5fafb63c6102309bf929a73320512e3
Opcode Fuzzy Hash: df7fc2f1ceadfb195b8e4d5dcb9d7494ee1a52e1a75c19188b98cc64d0d02187
Instruction Fuzzy Hash: FFE01A312002049FC710EFA9D844E9AB7EAEF98770F00841AFC49CB351DA71A8458B90

Function 006709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006703EE), ref: 006709DA

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7af92af29e3e2835a3c6ef9d6d413ca52bb54a91583f93b2dab6d699c4cdda7f
Instruction ID: 25cbf59252ad5e869fbea7ea2c1462ea45d6f4da95848a2e98021508b6bf8e76
Opcode Fuzzy Hash: 7af92af29e3e2835a3c6ef9d6d413ca52bb54a91583f93b2dab6d699c4cdda7f
Instruction Fuzzy Hash:

Function 0067781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0067798B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: ea55067f3bce650750938dd29ebeb054c2e484f002aaa3008d1b98c278974905
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 6151697160C7059BDB388568C85D7FE63979B12300F18C92AD98EC7382DA15DE42D39B

Function 006C2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&r, xrefs: 006C2053

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: 0&r
API String ID: 0-2801774518
Opcode ID: 5fdbba6243012703b1ffd65a21380b586c2f8307d3e5d5f53326fb1fb2ca4602
Instruction ID: af4e277e540151915c0897e289cdaf4fd210fb3301df89b7b11411e6b27026f3
Opcode Fuzzy Hash: 5fdbba6243012703b1ffd65a21380b586c2f8307d3e5d5f53326fb1fb2ca4602
Instruction Fuzzy Hash: 0421A5327206118BD728CE79C8226BA73E5E754310F15862EE4A7C77D1DE3AE905CB94

Function 00686DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a472ff07d85d05f727ff4be22e3225b2eea148b3d4813847f30bbaf469ce69b
Instruction ID: 9b9395c3af5b01aad249804f3994b9c6f792310dd381cbcc5fdb79ff3d258268
Opcode Fuzzy Hash: 5a472ff07d85d05f727ff4be22e3225b2eea148b3d4813847f30bbaf469ce69b
Instruction Fuzzy Hash: 3932F721D29F014DD723A634DC32335A64AAFB73C5F25D737E81AB5AA5EF29C5838201

Function 0066CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d0120527d8a6a4a87eedf4f918a054bff30ddeec7773be4e8866deb0374f64
Instruction ID: 0d577d81105725e53d6c6d3c17b45468a93f19d9c6f1cb8c608ae59f106fb62d
Opcode Fuzzy Hash: 05d0120527d8a6a4a87eedf4f918a054bff30ddeec7773be4e8866deb0374f64
Instruction Fuzzy Hash: 5232F231A041158BCF28EB2CC4946FDBBA3EF46330F28856AD49A9B391D634DD82DF50

Function 00657920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2cd9338fe6c197b988ba01959b2f92adc4cefa2a59c13e620123efd21af2ce
Instruction ID: 485016905c1c5048b8dc0b1d07ee187b9f067ad4558646d09c084c55a965ac7a
Opcode Fuzzy Hash: 8d2cd9338fe6c197b988ba01959b2f92adc4cefa2a59c13e620123efd21af2ce
Instruction Fuzzy Hash: 1822BFB0A0060ADFDF14CF64D881AEEB7F7FF44300F148629E816A7691EB36A915CB54

Function 006591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f15ecd25c1599380b3541c0bf94a4d1df8302d21c89d2fb002c7d62940fe67d
Instruction ID: 49bbe3e5196d14263f4d6d75bea087577ed3ac5a852adb88955e0367a4f6f040
Opcode Fuzzy Hash: 1f15ecd25c1599380b3541c0bf94a4d1df8302d21c89d2fb002c7d62940fe67d
Instruction Fuzzy Hash: 0C02A6B0E00205EBDF04DF54D981AADBBB6FF54300F108169E816DB391EB35EA55CB95

Function 00671C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 95c6cef6e02fff7b3ac91460d7d927245109fb6018c702bedbf7ff1b38208235
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C59189725080A34ADB29463E85750BDFFE25E533A131A479FD4FACE2C1FE14C955DA20

Function 006719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9ba4097245b1734aae40cd72530ceef1ca1864b559dc6f24b840e8109119c9d4
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 5F9196722090A34ADB2D427E857407DFFE25A937A131A879FD4FACE2C1FE14C655D620

Function 00677A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778822830b50343c2fe7bfe7eeab85b6075a20c49487bdfa1362008e436a3987
Instruction ID: 061004b9f2bacc45485a89c549f79dae433e2fcd4b6173f48c2704c26383dee9
Opcode Fuzzy Hash: 778822830b50343c2fe7bfe7eeab85b6075a20c49487bdfa1362008e436a3987
Instruction Fuzzy Hash: 37618A313487099AEE349D2C8D95BFE2397DF51B00F20C91DE84ECB381D6119E42C759

Function 00677CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23157be08ea40ae05ef8f404202bd067ed3d6927eb421fb78a4652b40eeb44b8
Instruction ID: a1b1bcb230303cce1cb8df43e1054414c8beeb003f7d48c69be79353dfc09d30
Opcode Fuzzy Hash: 23157be08ea40ae05ef8f404202bd067ed3d6927eb421fb78a4652b40eeb44b8
Instruction Fuzzy Hash: D8619B31248709A7DE388A688855BFF2397DF42704F20C95EE94FCB381EA12DD42C759

Function 00671706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: c7a3f2eb01965a16c5b26ddd1ee6d2bee813bafffe4934e97c102cf2220c3927
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 358176325090A34ADB6D463D85340BEFFE35A933A131A879FD4FACE2C1EE24C555E620

Function 0066D07D Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40266a6cdf263aa76b92f2ff44dbaa9fa5c49375f30cdc9f2d18a0093358e4e2
Instruction ID: e1e1adae573d6b9152e072f5c173db7822c2c886f9e42e7a2411ffa6e0e7580d
Opcode Fuzzy Hash: 40266a6cdf263aa76b92f2ff44dbaa9fa5c49375f30cdc9f2d18a0093358e4e2
Instruction Fuzzy Hash: D851C6616867429FE30E9A209C02B80FB52FF92E10F0CCBCEE1454E8C7DB919949C7C1

Function 00603640 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359274545.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 23cc3c356a020023297f32ebea48ecb5efd34e0c327317455b00c8d606b38037
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: CA41B3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50

Function 006034D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359274545.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 911f05815f508ff9a94631a3f7e6cd14d0148bd7465228718740e51905512c33
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: F1019278A40119EFCB48DF98C5909AEF7FAFB48310F208599E809A7741D730EE41DB80

Function 00603530 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359274545.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: c594b3daec69f98bf9d86e10ff11bfba8411d14035571ad188036a5e5c1919a3
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: E1019278A10119EFCB49DF98C5909AEF7BAFB48310F208699E809A7751D730AE41DB80

Function 00601E80 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359274545.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 006D2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006D2B30
DeleteObject.GDI32(00000000), ref: 006D2B43
DestroyWindow.USER32 ref: 006D2B52
GetDesktopWindow.USER32 ref: 006D2B6D
GetWindowRect.USER32(00000000), ref: 006D2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 006D2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 006D2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006D2CF8
GetClientRect.USER32(00000000,?), ref: 006D2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006D2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006D2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006D2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006D2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006D2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006D2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006D2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006D2DA8
GlobalFree.KERNEL32(00000000), ref: 006D2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006D2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,006EFC38,00000000), ref: 006D2DDB
GlobalFree.KERNEL32(00000000), ref: 006D2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 006D2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 006D2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006D2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006D303F

Strings

DISPLAY, xrefs: 006D2EA2
static, xrefs: 006D2D3A, 006D2E91
, xrefs: 006D2FC5
AutoIt v3, xrefs: 006D2CF2

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: f8ebb1c222643dfc2c41b10b91e08c325a71264c8db15c8565415b46b22eca2c
Instruction ID: 882040ef6a606e311ac544b5e239e24a9b395125d174e38923ccf177fadc4217
Opcode Fuzzy Hash: f8ebb1c222643dfc2c41b10b91e08c325a71264c8db15c8565415b46b22eca2c
Instruction Fuzzy Hash: A5028C71900205AFDB14DF64CC89EAE7BBAFF48321F008559F915AB2A1DB74ED02CB60

Function 006E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 006E712F
GetSysColorBrush.USER32(0000000F), ref: 006E7160
GetSysColor.USER32(0000000F), ref: 006E716C
SetBkColor.GDI32(?,000000FF), ref: 006E7186
SelectObject.GDI32(?,?), ref: 006E7195
InflateRect.USER32(?,000000FF,000000FF), ref: 006E71C0
GetSysColor.USER32(00000010), ref: 006E71C8
CreateSolidBrush.GDI32(00000000), ref: 006E71CF
FrameRect.USER32(?,?,00000000), ref: 006E71DE
DeleteObject.GDI32(00000000), ref: 006E71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 006E7230
FillRect.USER32(?,?,?), ref: 006E7262
GetWindowLongW.USER32(?,000000F0), ref: 006E7284

Part of subcall function 006E73E8: GetSysColor.USER32(00000012), ref: 006E7421
Part of subcall function 006E73E8: SetTextColor.GDI32(?,?), ref: 006E7425
Part of subcall function 006E73E8: GetSysColorBrush.USER32(0000000F), ref: 006E743B
Part of subcall function 006E73E8: GetSysColor.USER32(0000000F), ref: 006E7446
Part of subcall function 006E73E8: GetSysColor.USER32(00000011), ref: 006E7463
Part of subcall function 006E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006E7471
Part of subcall function 006E73E8: SelectObject.GDI32(?,00000000), ref: 006E7482
Part of subcall function 006E73E8: SetBkColor.GDI32(?,00000000), ref: 006E748B
Part of subcall function 006E73E8: SelectObject.GDI32(?,?), ref: 006E7498
Part of subcall function 006E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 006E74B7
Part of subcall function 006E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006E74CE
Part of subcall function 006E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 006E74DB

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 5a05f5d26a4de49939f1b098725dc88100927cef1d350d36e6029f4f41adf573
Instruction ID: 507321c08778cd75e43690b13a33be806b77a0f73b1000e8bc55e15171e5e642
Opcode Fuzzy Hash: 5a05f5d26a4de49939f1b098725dc88100927cef1d350d36e6029f4f41adf573
Instruction Fuzzy Hash: 9CA1B372009381BFD7009F64DC88E9B7BAAFF49330F101A19FA629A1E1D771E946DB51

Function 00668D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00668E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 006A6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006A6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 006A6F43

Part of subcall function 00668F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00668BE8,?,00000000,?,?,?,?,00668BBA,00000000,?), ref: 00668FC5

SendMessageW.USER32(?,00001053), ref: 006A6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006A6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 006A6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 006A6FB7

Strings

0, xrefs: 006A6DCF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 74ba9535e4cb59633c10b525a7cd7490ace9ca92a7b01288d153bd08008807f2
Instruction ID: 0fe17d434cedca911f8db00489b846801ddfe4c9ba868f882698b89b2eb3b8d4
Opcode Fuzzy Hash: 74ba9535e4cb59633c10b525a7cd7490ace9ca92a7b01288d153bd08008807f2
Instruction Fuzzy Hash: 7D12AC30204241DFDB25EF24C894BA6B7E3FF5A310F588569F5858B261CB32AC92CF95

Function 006D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006D273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006D286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006D28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006D28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 006D2900
GetClientRect.USER32(00000000,?), ref: 006D290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 006D2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006D2964
GetStockObject.GDI32(00000011), ref: 006D2974
SelectObject.GDI32(00000000,00000000), ref: 006D2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 006D2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006D2991
DeleteDC.GDI32(00000000), ref: 006D299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006D29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 006D29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 006D2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006D2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 006D2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 006D2A77
GetStockObject.GDI32(00000011), ref: 006D2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006D2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 006D2A97

Strings

msctls_progress32, xrefs: 006D2A13
DISPLAY, xrefs: 006D295A
static, xrefs: 006D294F, 006D2A71
AutoIt v3, xrefs: 006D28F8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 050a8a7432309948cda3fec6499712fb16f5b25e4ba4ef6757bc08e880e66206
Instruction ID: 0e790e7b56b7d6fa2e3a3613a3c85a714828ebe42083a5964337ae722d8d6d48
Opcode Fuzzy Hash: 050a8a7432309948cda3fec6499712fb16f5b25e4ba4ef6757bc08e880e66206
Instruction Fuzzy Hash: 55B17E71A00205AFEB24DF68DC89FAE7BAAFB19711F008119F914EB291D774ED41CB94

Function 006C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006C4AED
GetDriveTypeW.KERNEL32(?,006ECB68,?,\\.\,006ECC08), ref: 006C4BCA
SetErrorMode.KERNEL32(00000000,006ECB68,?,\\.\,006ECC08), ref: 006C4D36

Strings

1394, xrefs: 006C4C9F
SSA, xrefs: 006C4CA6
ATA, xrefs: 006C4C98
MMC, xrefs: 006C4CDE
RAMDisk, xrefs: 006C4BF4
FileBackedVirtual, xrefs: 006C4CEC
SATA, xrefs: 006C4CD0
PhysicalDrive, xrefs: 006C4B76
iSCSI, xrefs: 006C4CC2
Removable, xrefs: 006C4C10, 006C4C15
RAID, xrefs: 006C4CBB
CDROM, xrefs: 006C4BFB
ATAPI, xrefs: 006C4C91
USB, xrefs: 006C4CB4
SSD, xrefs: 006C4C4A
SAS, xrefs: 006C4CC9
Network, xrefs: 006C4C02
\\.\, xrefs: 006C4B3F
Unknown, xrefs: 006C4BED, 006C4C83
Virtual, xrefs: 006C4CE5
Fixed, xrefs: 006C4C09
SCSI, xrefs: 006C4C8A
Fibre, xrefs: 006C4CAD

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: eeb76855415a9fa50e962fdb5a8b69151c1d1d4a9830ca76da5bc9d9aad7b91b
Instruction ID: 84a779a271ed94c9fa1f9c90afd4c195a2717316a086f3e50e506dc4bd34586d
Opcode Fuzzy Hash: eeb76855415a9fa50e962fdb5a8b69151c1d1d4a9830ca76da5bc9d9aad7b91b
Instruction Fuzzy Hash: 1361A0707062059BCB14DF28CAA2EF977B3EB04740B20441DF846AB2A1DE39ED86DB55

Function 006E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 006E7421
SetTextColor.GDI32(?,?), ref: 006E7425
GetSysColorBrush.USER32(0000000F), ref: 006E743B
GetSysColor.USER32(0000000F), ref: 006E7446
CreateSolidBrush.GDI32(?), ref: 006E744B
GetSysColor.USER32(00000011), ref: 006E7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 006E7471
SelectObject.GDI32(?,00000000), ref: 006E7482
SetBkColor.GDI32(?,00000000), ref: 006E748B
SelectObject.GDI32(?,?), ref: 006E7498
InflateRect.USER32(?,000000FF,000000FF), ref: 006E74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006E74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 006E74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006E752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006E7554
InflateRect.USER32(?,000000FD,000000FD), ref: 006E7572
DrawFocusRect.USER32(?,?), ref: 006E757D
GetSysColor.USER32(00000011), ref: 006E758E
SetTextColor.GDI32(?,00000000), ref: 006E7596
DrawTextW.USER32(?,006E70F5,000000FF,?,00000000), ref: 006E75A8
SelectObject.GDI32(?,?), ref: 006E75BF
DeleteObject.GDI32(?), ref: 006E75CA
SelectObject.GDI32(?,?), ref: 006E75D0
DeleteObject.GDI32(?), ref: 006E75D5
SetTextColor.GDI32(?,?), ref: 006E75DB
SetBkColor.GDI32(?,?), ref: 006E75E5

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b6ca14dcab3d1ec4df55c377415a353ecc652bc86f7270dccc802123b0cb5b18
Instruction ID: c8bd0b061c45ae9591526f13ed83616383813b8a06c07768c2417b70721cf880
Opcode Fuzzy Hash: b6ca14dcab3d1ec4df55c377415a353ecc652bc86f7270dccc802123b0cb5b18
Instruction Fuzzy Hash: C7617C72901358AFDF009FA8DC88EEEBFBAEB09320F105115F911AB2A1D7709941DF90

Function 006E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006E1128
GetDesktopWindow.USER32 ref: 006E113D
GetWindowRect.USER32(00000000), ref: 006E1144
GetWindowLongW.USER32(?,000000F0), ref: 006E1199
DestroyWindow.USER32(?), ref: 006E11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006E11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006E120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006E121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 006E1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 006E1245
IsWindowVisible.USER32(00000000), ref: 006E12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 006E12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 006E12D0
GetWindowRect.USER32(00000000,?), ref: 006E12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 006E130E
GetMonitorInfoW.USER32(00000000,?), ref: 006E1328
CopyRect.USER32(?,?), ref: 006E133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 006E13AA

Strings

(, xrefs: 006E131B
tooltips_class32, xrefs: 006E11E6
0, xrefs: 006E10D3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e631a5eed8c8d331c17aa4c9976d837dd8cbf238d008e39a75f7c790fea1665e
Instruction ID: 382b1a2fed5d12e51fa7a4300dded0c91152386c4de6d040229e587eed7bd700
Opcode Fuzzy Hash: e631a5eed8c8d331c17aa4c9976d837dd8cbf238d008e39a75f7c790fea1665e
Instruction Fuzzy Hash: 6CB1BD71604380AFD744DF65C884BABBBE6FF85310F00891CF9999B2A1DB31E845DBA5

Function 006E0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006E02E5
_wcslen.LIBCMT ref: 006E031F
_wcslen.LIBCMT ref: 006E0389
_wcslen.LIBCMT ref: 006E03F1
_wcslen.LIBCMT ref: 006E0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006E04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006E0504

Part of subcall function 0066F9F2: _wcslen.LIBCMT ref: 0066F9FD

Part of subcall function 006B223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006B2258
Part of subcall function 006B223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006B228A

Strings

GETITEMCOUNT, xrefs: 006E0316, 006E0337
GETSELECTEDCOUNT, xrefs: 006E0470, 006E048B
ISSELECTED, xrefs: 006E04DD
SELECT, xrefs: 006E0548
VIEWCHANGE, xrefs: 006E0675
DESELECT, xrefs: 006E059C
FINDITEM, xrefs: 006E0627
GETTEXT, xrefs: 006E03EC, 006E0407
GETSUBITEMCOUNT, xrefs: 006E0384, 006E039F
GETSELECTED, xrefs: 006E05E1
SELECTALL, xrefs: 006E0515
SELECTINVERT, xrefs: 006E057E
SELECTCLEAR, xrefs: 006E052D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 48b87d1837f159cd18e361c335fdc8533235d7c5b2f928db9775900f1b0be95f
Instruction ID: bc42107852cad0e0197b3cccd5d6ee9d83d84d18718cd11317ed12296ae245d3
Opcode Fuzzy Hash: 48b87d1837f159cd18e361c335fdc8533235d7c5b2f928db9775900f1b0be95f
Instruction Fuzzy Hash: 16E1BD312093818FD718DF29C55196AB3E7BF88314F14496CF8969B3A1DB70ED86CB91

Function 00668891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00668968
GetSystemMetrics.USER32(00000007), ref: 00668970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0066899B
GetSystemMetrics.USER32(00000008), ref: 006689A3
GetSystemMetrics.USER32(00000004), ref: 006689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00668A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00668A3C
GetClientRect.USER32(00000000,000000FF), ref: 00668A5A
GetStockObject.GDI32(00000011), ref: 00668A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00668A81

Part of subcall function 0066912D: GetCursorPos.USER32(?), ref: 00669141
Part of subcall function 0066912D: ScreenToClient.USER32(00000000,?), ref: 0066915E
Part of subcall function 0066912D: GetAsyncKeyState.USER32(00000001), ref: 00669183
Part of subcall function 0066912D: GetAsyncKeyState.USER32(00000002), ref: 0066919D

SetTimer.USER32(00000000,00000000,00000028,006690FC), ref: 00668AA8

Strings

AutoIt v3 GUI, xrefs: 00668A20

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c52f311828b9ced185d32210f7a8d5fce293af5fbedcac5eabe43dd6b366cc4d
Instruction ID: aa63aa16ff072555aeebf47a9140dd8e2e385ae03c673ae21c6979cdb608124d
Opcode Fuzzy Hash: c52f311828b9ced185d32210f7a8d5fce293af5fbedcac5eabe43dd6b366cc4d
Instruction Fuzzy Hash: 97B16D71A002499FDB14DFA8DC85BEE3BB6FB48314F154229FA15AB290DB34E842CF54

Function 006B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006B1114
Part of subcall function 006B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,006B0B9B,?,?,?), ref: 006B1120
Part of subcall function 006B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006B0B9B,?,?,?), ref: 006B112F
Part of subcall function 006B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006B0B9B,?,?,?), ref: 006B1136
Part of subcall function 006B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006B0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006B0E29
GetLengthSid.ADVAPI32(?), ref: 006B0E40
GetAce.ADVAPI32(?,00000000,?), ref: 006B0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006B0E96
GetLengthSid.ADVAPI32(?), ref: 006B0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 006B0EB5
HeapAlloc.KERNEL32(00000000), ref: 006B0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 006B0EDD
CopySid.ADVAPI32(00000000), ref: 006B0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006B0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006B0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006B0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006B0F6E
HeapFree.KERNEL32(00000000), ref: 006B0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006B0F7E
HeapFree.KERNEL32(00000000), ref: 006B0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006B0F8E
HeapFree.KERNEL32(00000000), ref: 006B0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 006B0FA1
HeapFree.KERNEL32(00000000), ref: 006B0FA8

Part of subcall function 006B1193: GetProcessHeap.KERNEL32(00000008,006B0BB1,?,00000000,?,006B0BB1,?), ref: 006B11A1
Part of subcall function 006B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,006B0BB1,?), ref: 006B11A8
Part of subcall function 006B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,006B0BB1,?), ref: 006B11B7

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5d981961a03870b862071aa68049471593434bfa6f2c3dc669a5f585de0c7ce2
Instruction ID: 0bd771824b85a8a641217238f8a98cc0cb896e8a3a8b70b6615c1cd6225f145c
Opcode Fuzzy Hash: 5d981961a03870b862071aa68049471593434bfa6f2c3dc669a5f585de0c7ce2
Instruction Fuzzy Hash: FA7141B190020AABEF209FA4DC45FEFBBBEBF05310F148155F915AA291D7719946CB60

Function 006DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006DC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,006ECC08,00000000,?,00000000,?,?), ref: 006DC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 006DC5A4
_wcslen.LIBCMT ref: 006DC5F4
_wcslen.LIBCMT ref: 006DC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 006DC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 006DC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 006DC84D
RegCloseKey.ADVAPI32(?), ref: 006DC881
RegCloseKey.ADVAPI32(00000000), ref: 006DC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 006DC960

Strings

REG_MULTI_SZ, xrefs: 006DC6F5
REG_BINARY, xrefs: 006DC913
REG_SZ, xrefs: 006DC644
REG_EXPAND_SZ, xrefs: 006DC5CD
REG_DWORD, xrefs: 006DC804
REG_QWORD, xrefs: 006DC8C3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e2828da4b9d7f35e21e61e503756ff8151cbe935a95a8cb6f3a909f4fe89427c
Instruction ID: 3a2aa4c144e45a88d4754e80dd7b9a3ec27a69c405bcde477253d9f72ec5f826
Opcode Fuzzy Hash: e2828da4b9d7f35e21e61e503756ff8151cbe935a95a8cb6f3a909f4fe89427c
Instruction Fuzzy Hash: 82127A35A042019FC754DF14C891E6ABBE6FF88725F04885DF88A9B3A2DB31ED45CB85

Function 006E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006E09C6
_wcslen.LIBCMT ref: 006E0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006E0A54
_wcslen.LIBCMT ref: 006E0A8A
_wcslen.LIBCMT ref: 006E0B06
_wcslen.LIBCMT ref: 006E0B81

Part of subcall function 0066F9F2: _wcslen.LIBCMT ref: 0066F9FD

Part of subcall function 006B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006B2BFA

Strings

GETTEXT, xrefs: 006E0C97
EXPAND, xrefs: 006E0BF8
GETTOTALCOUNT, xrefs: 006E09F2, 006E0A17
GETITEMCOUNT, xrefs: 006E0C1E
CHECK, xrefs: 006E0A85, 006E0AA0
SELECT, xrefs: 006E0D11
GETSELECTED, xrefs: 006E0C4E
UNCHECK, xrefs: 006E0D3E
EXISTS, xrefs: 006E0B7C, 006E0B97
ISCHECKED, xrefs: 006E0CE1
COLLAPSE, xrefs: 006E0B01, 006E0B1C

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 9128d98daedaca4c661c19313b5ec802dafd7d1d91066195e133507adb310e31
Instruction ID: 967e03e235ee0bd38184ed207c4a4602dbc983fd2b34eeb2bf25ce8ad8e2bb92
Opcode Fuzzy Hash: 9128d98daedaca4c661c19313b5ec802dafd7d1d91066195e133507adb310e31
Instruction Fuzzy Hash: 34E1C0712093818FC754DF29C45096AB7E3BF98314F14895CF8969B3A2DB71ED8ACB81

Function 006DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,006DB6AE,?,?), ref: 006DC9B5
_wcslen.LIBCMT ref: 006DC9F1
_wcslen.LIBCMT ref: 006DCA68
_wcslen.LIBCMT ref: 006DCA9E
_wcslen.LIBCMT ref: 006DCAF9
_wcslen.LIBCMT ref: 006DCB2F
_wcslen.LIBCMT ref: 006DCB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 006DCAF3, 006DCAF8
HKEY_USERS, xrefs: 006DCBDF
HKCR, xrefs: 006DCB29, 006DCB2E
HKEY_LOCAL_MACHINE, xrefs: 006DCA62, 006DCA67
HKCC, xrefs: 006DCBAC
HKEY_CURRENT_CONFIG, xrefs: 006DCB79, 006DCB7E
HKLM, xrefs: 006DCA98, 006DCA9D
HKU, xrefs: 006DCBF0
HKEY_CURRENT_USER, xrefs: 006DCBBD
HKCU, xrefs: 006DCBCE

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 2c1a71da03605701e20b2959f3c6abdea0e2dff63006cd880fd5b61540d9de7a
Instruction ID: 4d4347568a55e34c21ba136b1f2a30b44b159bbf01082828d544cdd43913c1fd
Opcode Fuzzy Hash: 2c1a71da03605701e20b2959f3c6abdea0e2dff63006cd880fd5b61540d9de7a
Instruction Fuzzy Hash: 2771C332E1016F8BCB20DE6CC9515FA33A3ABA0774F15452AF8569B384EA35CD85C3A4

Function 006E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006E835A
_wcslen.LIBCMT ref: 006E836E
_wcslen.LIBCMT ref: 006E8391
_wcslen.LIBCMT ref: 006E83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006E83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006E5BF2), ref: 006E844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006E8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006E84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006E8501
FreeLibrary.KERNEL32(?), ref: 006E850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006E851D
DestroyIcon.USER32(?,?,?,?,?,006E5BF2), ref: 006E852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006E8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006E8555

Strings

.dll, xrefs: 006E83AB
.exe, xrefs: 006E8388
.icl, xrefs: 006E8368

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: d4cfa11198cb643f38eaf8f53f05fb61568beb5f2a2ac3e5488881f02bc06212
Instruction ID: 6d5e262ab3c34228c4195a5bdbb85638832ea00b55f74cdb634f141d9930ab53
Opcode Fuzzy Hash: d4cfa11198cb643f38eaf8f53f05fb61568beb5f2a2ac3e5488881f02bc06212
Instruction Fuzzy Hash: A961DC71500345BEEB14CF65CC85BFE77AAAB04B21F104609F819EB1D1EF74AA91CBA0

Function 00657778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 0069528C
#pragma compile, xrefs: 006577D3
#notrayicon, xrefs: 006577E7
Bad directive syntax error, xrefs: 0069519A
#comments-end, xrefs: 006578D9
#cs, xrefs: 00657873, 006578C5
#comments-start, xrefs: 0065785F, 006578B1
#include, xrefs: 00657847
#requireadmin, xrefs: 006577FF
#ce, xrefs: 006578ED
#OnAutoItStartRegister, xrefs: 00657817
Cannot parse #include, xrefs: 00695279
#include-once, xrefs: 0065782F
", xrefs: 00695153
', xrefs: 00695169

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 721bdd3bef8469d44978ef080913bd1cebe0229fd0bae752ac13666062d967fa
Instruction ID: 9854c9048fba95b0110b0115ff8530371ea161e9f94b5b82d7dac905ea48722f
Opcode Fuzzy Hash: 721bdd3bef8469d44978ef080913bd1cebe0229fd0bae752ac13666062d967fa
Instruction Fuzzy Hash: FB811571640205BBDF21AF60EC42FEE37ABAF15301F144028FD09AB292EB70DA05C7A5

Function 006B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 006B5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 006B5A40
SetWindowTextW.USER32(?,?), ref: 006B5A57
GetDlgItem.USER32(?,000003EA), ref: 006B5A6C
SetWindowTextW.USER32(00000000,?), ref: 006B5A72
GetDlgItem.USER32(?,000003E9), ref: 006B5A82
SetWindowTextW.USER32(00000000,?), ref: 006B5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 006B5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 006B5AC3
GetWindowRect.USER32(?,?), ref: 006B5ACC
_wcslen.LIBCMT ref: 006B5B33
SetWindowTextW.USER32(?,?), ref: 006B5B6F
GetDesktopWindow.USER32 ref: 006B5B75
GetWindowRect.USER32(00000000), ref: 006B5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 006B5BD3
GetClientRect.USER32(?,?), ref: 006B5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 006B5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 006B5C2F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: ff249e0227ee3b66f1055c666adc0528b1be1cbaad21004780568509092e7721
Instruction ID: 0bff869a902bd3a5b2355301210f1d23758f232b975fb099783bda8f0bc89107
Opcode Fuzzy Hash: ff249e0227ee3b66f1055c666adc0528b1be1cbaad21004780568509092e7721
Instruction Fuzzy Hash: CA718B71900B09AFDB20DFA8CE95BEEBBF6FF48714F104518E543A66A0D775A981CB10

Function 006B30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006B318D
_wcslen.LIBCMT ref: 006B31F8

Strings

NAME, xrefs: 006B3335, 006B3346
CLASS, xrefs: 006B3188, 006B31A5
CLASSNN, xrefs: 006B31F3, 006B3204
TEXT, xrefs: 006B347C
REGEXPCLASS, xrefs: 006B3255, 006B3266
[q, xrefs: 006B339A
INSTANCE, xrefs: 006B3453

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[q
API String ID: 176396367-3342603988
Opcode ID: 81173c1aacaad059bce19ade1b8142fa74c6e26f7f79a8a075152e5cc7370394
Instruction ID: 36869e84e17f18e599e1cba2122e2b15ede58fb9a9cf9fc00d4f275d8cfa3064
Opcode Fuzzy Hash: 81173c1aacaad059bce19ade1b8142fa74c6e26f7f79a8a075152e5cc7370394
Instruction Fuzzy Hash: 61E1A5B2B00536EBCB689F68C4516EEBBA6BF54710F548229E456A7340DB309FC98790

Function 006700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006700C6

Part of subcall function 006700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0072070C,00000FA0,9EA6D57F,?,?,?,?,006923B3,000000FF), ref: 0067011C
Part of subcall function 006700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006923B3,000000FF), ref: 00670127
Part of subcall function 006700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006923B3,000000FF), ref: 00670138
Part of subcall function 006700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0067014E
Part of subcall function 006700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0067015C
Part of subcall function 006700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0067016A
Part of subcall function 006700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00670195
Part of subcall function 006700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006701A0

___scrt_fastfail.LIBCMT ref: 006700E7

Part of subcall function 006700A3: __onexit.LIBCMT ref: 006700A9

Strings

SleepConditionVariableCS, xrefs: 00670154
InitializeConditionVariable, xrefs: 00670148
kernel32.dll, xrefs: 00670133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00670122
WakeAllConditionVariable, xrefs: 00670162

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 193d76948bb072cd9b7db94133a3eabde6ea384f2db6b74fda37c315770a0fc3
Instruction ID: a82cb76935703fba18849698122d8e0987cf562c89aeceae9e08b0dde6f9786b
Opcode Fuzzy Hash: 193d76948bb072cd9b7db94133a3eabde6ea384f2db6b74fda37c315770a0fc3
Instruction Fuzzy Hash: 69212972641750EBFB205BB4AC45BAA3797DF44B60F118139F805967D1DB7498008AB4

Function 006C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,006ECC08), ref: 006C4527
_wcslen.LIBCMT ref: 006C453B
_wcslen.LIBCMT ref: 006C4599
_wcslen.LIBCMT ref: 006C45F4
_wcslen.LIBCMT ref: 006C463F
_wcslen.LIBCMT ref: 006C46A7

Part of subcall function 0066F9F2: _wcslen.LIBCMT ref: 0066F9FD

GetDriveTypeW.KERNEL32(?,00716BF0,00000061), ref: 006C4743

Strings

fixed, xrefs: 006C4635, 006C463A
ramdisk, xrefs: 006C46F1
unknown, xrefs: 006C4708
network, xrefs: 006C469D, 006C46A2
cdrom, xrefs: 006C458F, 006C4594
all, xrefs: 006C4531, 006C4536
removable, xrefs: 006C45EA, 006C45EF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 299820f5263e7a48db6a09026ad1b7256bd32207a78ea1157a3ea05c9871c996
Instruction ID: a73d681416c27bba04f65d4e8eadbacf7a3da1fdd3602caef586d93d026e1cb2
Opcode Fuzzy Hash: 299820f5263e7a48db6a09026ad1b7256bd32207a78ea1157a3ea05c9871c996
Instruction Fuzzy Hash: 6CB1D0716083029BC710DF29C8A0EBAB7E6EFA5760F50491DF49687395EB30D845CAA2

Function 006E911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00669BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00669BB2

DragQueryPoint.SHELL32(?,?), ref: 006E9147

Part of subcall function 006E7674: ClientToScreen.USER32(?,?), ref: 006E769A
Part of subcall function 006E7674: GetWindowRect.USER32(?,?), ref: 006E7710
Part of subcall function 006E7674: PtInRect.USER32(?,?,006E8B89), ref: 006E7720

SendMessageW.USER32(?,000000B0,?,?), ref: 006E91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006E91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006E91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 006E9225
SendMessageW.USER32(?,000000B0,?,?), ref: 006E923E
SendMessageW.USER32(?,000000B1,?,?), ref: 006E9255
SendMessageW.USER32(?,000000B1,?,?), ref: 006E9277
DragFinish.SHELL32(?), ref: 006E927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006E9371

Strings

p#r, xrefs: 006E92BB
@GUI_DRAGFILE, xrefs: 006E9320
@GUI_DRAGID, xrefs: 006E92E9
@GUI_DROPID, xrefs: 006E929E

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#r
API String ID: 221274066-3460447309
Opcode ID: 1e477585061028222fada3701d692a0b30f08c37f1966e559882e4fc767f9f8d
Instruction ID: 115a3713ddbc2eb5db76134108288a0a3ac484f0723f82af069ece5a23dc8745
Opcode Fuzzy Hash: 1e477585061028222fada3701d692a0b30f08c37f1966e559882e4fc767f9f8d
Instruction Fuzzy Hash: 64618A71108341AFC701DF64DC85DAFBBEAEF89760F40092DF991961A1DB309A4ACB66

Function 006DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006DB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006DB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006DB1D4
_wcslen.LIBCMT ref: 006DB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006DB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006DB236
_wcslen.LIBCMT ref: 006DB332

Part of subcall function 006C05A7: GetStdHandle.KERNEL32(000000F6), ref: 006C05C6

_wcslen.LIBCMT ref: 006DB34B
_wcslen.LIBCMT ref: 006DB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006DB3B6
GetLastError.KERNEL32(00000000), ref: 006DB407
CloseHandle.KERNEL32(?), ref: 006DB439
CloseHandle.KERNEL32(00000000), ref: 006DB44A
CloseHandle.KERNEL32(00000000), ref: 006DB45C
CloseHandle.KERNEL32(00000000), ref: 006DB46E
CloseHandle.KERNEL32(?), ref: 006DB4E3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 23781bcc0563d0454052aabc5e199997dca3c36b73445e73ae8329708298820f
Instruction ID: 4da7da99eef6cc3896d76175493853e5cd722bb424db059ba53106c50f5a72ca
Opcode Fuzzy Hash: 23781bcc0563d0454052aabc5e199997dca3c36b73445e73ae8329708298820f
Instruction Fuzzy Hash: C4F18931908340DFC754EF24C891B6ABBE2AF85314F15845EF8998B3A6DB31EC45CB96

Function 0065326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00721990), ref: 00692F8D
GetMenuItemCount.USER32(00721990), ref: 0069303D
GetCursorPos.USER32(?), ref: 00693081
SetForegroundWindow.USER32(00000000), ref: 0069308A
TrackPopupMenuEx.USER32(00721990,00000000,?,00000000,00000000,00000000), ref: 0069309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006930A9

Strings

0, xrefs: 0065327D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: a53f72ddb08ffa2f89a24f84f65f31bd77cbbe7e45f506af4b8cc468c7313d9b
Instruction ID: 1b8062a4013a6b39eae66b9daf8260d11181d43685d2d0fbaf4eb40a8ef8d1ba
Opcode Fuzzy Hash: a53f72ddb08ffa2f89a24f84f65f31bd77cbbe7e45f506af4b8cc468c7313d9b
Instruction Fuzzy Hash: 02710970640216BEEF218F64CC99FEABF6AFF04764F204216F9146A7E0C7B1A954CB54

Function 006E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 006E6DEB

Part of subcall function 00656B57: _wcslen.LIBCMT ref: 00656B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006E6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006E6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006E6E94
DestroyWindow.USER32(?), ref: 006E6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00650000,00000000), ref: 006E6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006E6EFD
GetDesktopWindow.USER32 ref: 006E6F16
GetWindowRect.USER32(00000000), ref: 006E6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006E6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006E6F4D

Part of subcall function 00669944: GetWindowLongW.USER32(?,000000EB), ref: 00669952

Strings

0, xrefs: 006E6D98
tooltips_class32, xrefs: 006E6E58, 006E6EDD

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: bfb28bf497603b5a9261823d21128f102c59347a3b6cd370edc33a374a15d97b
Instruction ID: 02a495b6670774fe98a3a9375b0870360a1d27f32995c4b7082718a7ca3a2b86
Opcode Fuzzy Hash: bfb28bf497603b5a9261823d21128f102c59347a3b6cd370edc33a374a15d97b
Instruction Fuzzy Hash: 3C717670104384AFDB21CF19D884AAABBFAFBA9340F44441DF999872A1C770AD4ACB15

Function 006CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006CC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 006CC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 006CC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 006CC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 006CC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 006CC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006CC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006CC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 006CC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 006CC5F0
InternetCloseHandle.WININET(00000000), ref: 006CC5FB

Strings

, xrefs: 006CC575

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 2a32de8e4020a0ebfafaeca01be8df816468ae936e98202380d24b804adfe7d2
Instruction ID: 60b4450cf1618c74f625907467ebebcbd37fd67d6a2aabb729fa8ad1ac5854c0
Opcode Fuzzy Hash: 2a32de8e4020a0ebfafaeca01be8df816468ae936e98202380d24b804adfe7d2
Instruction Fuzzy Hash: 63513AB1500748BFDB218F64C988FBA7BFEEF08764F40841DF94A96250DB34EA559B60

Function 006E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 006E8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006E85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006E85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006E85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006E85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006E85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006E85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006E85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006E85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,006EFC38,?), ref: 006E8611
GlobalFree.KERNEL32(00000000), ref: 006E8621
GetObjectW.GDI32(?,00000018,?), ref: 006E8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 006E8671
DeleteObject.GDI32(?), ref: 006E8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006E86AF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7b40ffc9c82ce33378bbd678c57e00de97b7b36854e842ea42575e6ff51ba442
Instruction ID: f2749bf0c188c7cf571bb11d8b36c8f779f3bb549165ca432703a95d8cfd0815
Opcode Fuzzy Hash: 7b40ffc9c82ce33378bbd678c57e00de97b7b36854e842ea42575e6ff51ba442
Instruction Fuzzy Hash: B741FC75601344AFDB11DFA5DC88EAB7BBAEF89725F104058F919EB250DB309902DB60

Function 006C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 006C1502
VariantCopy.OLEAUT32(?,?), ref: 006C150B
VariantClear.OLEAUT32(?), ref: 006C1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006C15FB
VarR8FromDec.OLEAUT32(?,?), ref: 006C1657
VariantInit.OLEAUT32(?), ref: 006C1708
SysFreeString.OLEAUT32(?), ref: 006C178C
VariantClear.OLEAUT32(?), ref: 006C17D8
VariantClear.OLEAUT32(?), ref: 006C17E7
VariantInit.OLEAUT32(00000000), ref: 006C1823

Strings

Default, xrefs: 006C16AF
%4d%02d%02d%02d%02d%02d, xrefs: 006C1625

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 736597058cc41c0858744c35020b5edf743c18745c69bb39b6991e2871d83ae2
Instruction ID: b05bf779a3d70dc3c471e1ab4e167c9527d6cfb9fe9e10a1e71624949881a3ae
Opcode Fuzzy Hash: 736597058cc41c0858744c35020b5edf743c18745c69bb39b6991e2871d83ae2
Instruction Fuzzy Hash: 4CD1AFB1600215DBDB109F65D885FB9B7B7FF47700F94805EE806AF282DB30A946DBA1

Function 006DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

Part of subcall function 006DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006DB6AE,?,?), ref: 006DC9B5
Part of subcall function 006DC998: _wcslen.LIBCMT ref: 006DC9F1
Part of subcall function 006DC998: _wcslen.LIBCMT ref: 006DCA68
Part of subcall function 006DC998: _wcslen.LIBCMT ref: 006DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006DB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006DB772
RegDeleteValueW.ADVAPI32(?,?), ref: 006DB80A
RegCloseKey.ADVAPI32(?), ref: 006DB87E
RegCloseKey.ADVAPI32(?), ref: 006DB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 006DB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006DB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 006DB922
FreeLibrary.KERNEL32(00000000), ref: 006DB983
RegCloseKey.ADVAPI32(00000000), ref: 006DB994

Strings

advapi32.dll, xrefs: 006DB8ED
RegDeleteKeyExW, xrefs: 006DB8FE

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 0ba493ac626576f98028c66de9dac8b472f2ed0e3b2a7dedc8c97f30bb735b2b
Instruction ID: b4b3307ac1f4d3583b0cd1d10ba1b36cd5e0b4fc8242b603afa529d449cb8206
Opcode Fuzzy Hash: 0ba493ac626576f98028c66de9dac8b472f2ed0e3b2a7dedc8c97f30bb735b2b
Instruction Fuzzy Hash: 56C18B30604241EFD714DF24C494F6ABBE6BF84318F15955DF89A8B3A2CB31E84ACB91

Function 006D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006D25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006D25E8
CreateCompatibleDC.GDI32(?), ref: 006D25F4
SelectObject.GDI32(00000000,?), ref: 006D2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 006D266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006D26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006D26D0
SelectObject.GDI32(?,?), ref: 006D26D8
DeleteObject.GDI32(?), ref: 006D26E1
DeleteDC.GDI32(?), ref: 006D26E8
ReleaseDC.USER32(00000000,?), ref: 006D26F3

Strings

(, xrefs: 006D268D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e9a53a882e7fbb72522f57e08365fd653877c1ad9030f75e35fe952758233fa7
Instruction ID: 70427d044faee3e4db851f7937a375116008476309fc8459655cde1e40b77731
Opcode Fuzzy Hash: e9a53a882e7fbb72522f57e08365fd653877c1ad9030f75e35fe952758233fa7
Instruction Fuzzy Hash: 1861F175D00219EFCF04CFA8D884AAEBBB6FF48310F20852AE955A7350D771A941CFA4

Function 0068DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0068DAA1

Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D659
Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D66B
Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D67D
Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D68F
Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D6A1
Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D6B3
Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D6C5
Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D6D7
Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D6E9
Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D6FB
Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D70D
Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D71F
Part of subcall function 0068D63C: _free.LIBCMT ref: 0068D731

_free.LIBCMT ref: 0068DA96

Part of subcall function 006829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0068D7D1,00000000,00000000,00000000,00000000,?,0068D7F8,00000000,00000007,00000000,?,0068DBF5,00000000), ref: 006829DE
Part of subcall function 006829C8: GetLastError.KERNEL32(00000000,?,0068D7D1,00000000,00000000,00000000,00000000,?,0068D7F8,00000000,00000007,00000000,?,0068DBF5,00000000,00000000), ref: 006829F0

_free.LIBCMT ref: 0068DAB8
_free.LIBCMT ref: 0068DACD
_free.LIBCMT ref: 0068DAD8
_free.LIBCMT ref: 0068DAFA
_free.LIBCMT ref: 0068DB0D
_free.LIBCMT ref: 0068DB1B
_free.LIBCMT ref: 0068DB26
_free.LIBCMT ref: 0068DB5E
_free.LIBCMT ref: 0068DB65
_free.LIBCMT ref: 0068DB82
_free.LIBCMT ref: 0068DB9A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7dca7de39729de8b76cd56806726fb31f4af48a80fc6c57fab1cafca3ac8fbd6
Instruction ID: 1b94c7e86f7fca61715171181bba7935768ea0adc9e4f1e5d3166bad2d914ebf
Opcode Fuzzy Hash: 7dca7de39729de8b76cd56806726fb31f4af48a80fc6c57fab1cafca3ac8fbd6
Instruction Fuzzy Hash: AB315C716442069FEB65BA3AE845B9A77EAFF00720F21462DE448D72D1DE34EC808734

Function 006B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006B369C
_wcslen.LIBCMT ref: 006B36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006B3797
GetClassNameW.USER32(?,?,00000400), ref: 006B380C
GetDlgCtrlID.USER32(?), ref: 006B385D
GetWindowRect.USER32(?,?), ref: 006B3882
GetParent.USER32(?), ref: 006B38A0
ScreenToClient.USER32(00000000), ref: 006B38A7
GetClassNameW.USER32(?,?,00000100), ref: 006B3921
GetWindowTextW.USER32(?,?,00000400), ref: 006B395D

Strings

%s%u, xrefs: 006B3734

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3d2de20251e9633db36df1f6251d2d96d4a436fcb9efab636fab8b70cf0e7f5b
Instruction ID: 42149437ea08043fb771e4d644f4be17ee0fa7e7ffa0b93c37362a401de7ed31
Opcode Fuzzy Hash: 3d2de20251e9633db36df1f6251d2d96d4a436fcb9efab636fab8b70cf0e7f5b
Instruction Fuzzy Hash: A391A5B1304716AFD715DF24C885FEAB7AAFF44350F008529F999C6290EB30EA85CB91

Function 006B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 006B4994
GetWindowTextW.USER32(?,?,00000400), ref: 006B49DA
_wcslen.LIBCMT ref: 006B49EB
CharUpperBuffW.USER32(?,00000000), ref: 006B49F7
_wcsstr.LIBVCRUNTIME ref: 006B4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 006B4A64
GetWindowTextW.USER32(?,?,00000400), ref: 006B4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 006B4AE6
GetClassNameW.USER32(?,?,00000400), ref: 006B4B20
GetWindowRect.USER32(?,?), ref: 006B4B8B

Strings

ThumbnailClass, xrefs: 006B4A6F, 006B4AF1

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f6a296983b1922a0c49cf819e5382b691a0ddfbf24c4f8dc398e2eaf579359d7
Instruction ID: 00095baaa8c0b44f5fe76fa4d427a9a0f11e32449583a4cfd225192ead98e140
Opcode Fuzzy Hash: f6a296983b1922a0c49cf819e5382b691a0ddfbf24c4f8dc398e2eaf579359d7
Instruction Fuzzy Hash: 49918DB11043059BDB04DF14C985BEA7BEAFF84714F048469FE859A296DF30ED86CBA1

Function 006E8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00669BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00669BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006E8D5A
GetFocus.USER32 ref: 006E8D6A
GetDlgCtrlID.USER32(00000000), ref: 006E8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 006E8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006E8ECF
GetMenuItemCount.USER32(?), ref: 006E8EEC
GetMenuItemID.USER32(?,00000000), ref: 006E8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006E8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006E8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006E8FA1

Strings

0, xrefs: 006E8E9F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: d04a7b90a579eb4a9ab4ffadbcde6f66ff1f3b421e3674fad17bf5fff373a80d
Instruction ID: f94611034a12014cb2c6fa9ddd77b25031e5a35e1f28952f809e5fb8fca074d1
Opcode Fuzzy Hash: d04a7b90a579eb4a9ab4ffadbcde6f66ff1f3b421e3674fad17bf5fff373a80d
Instruction Fuzzy Hash: 4281B071505381AFDB10CF26D884AAB7BEBFF88364F14095DF99997291DB30D901CBA1

Function 006BDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 006BDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006BDC46
_wcslen.LIBCMT ref: 006BDC50
_wcsstr.LIBVCRUNTIME ref: 006BDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 006BDCBC

Strings

StringFileInfo\, xrefs: 006BDC8F
%u.%u.%u.%u, xrefs: 006BDD9A
DefaultLangCodepage, xrefs: 006BDD1F
\VarFileInfo\Translation, xrefs: 006BDCB4
04090000, xrefs: 006BDCF2

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 72908e87353a2248baaab87c1bd983325644e4b2a021d3e3939e5744f436d004
Instruction ID: e24d3ea2b476db9f54e4b45b7619eed3b064bd6cd270b50a134dcff6f3aeffa5
Opcode Fuzzy Hash: 72908e87353a2248baaab87c1bd983325644e4b2a021d3e3939e5744f436d004
Instruction Fuzzy Hash: AB41F5B29403107ADB50A7749C47EFF7BAEEF41720F10406DF904AA182FB759A4297A9

Function 006DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006DCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 006DCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006DCD48

Part of subcall function 006DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 006DCCAA
Part of subcall function 006DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 006DCCBD
Part of subcall function 006DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006DCCCF
Part of subcall function 006DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006DCD05
Part of subcall function 006DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006DCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 006DCCF3

Strings

advapi32.dll, xrefs: 006DCCB8
RegDeleteKeyExW, xrefs: 006DCCC9

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 663f98d2bd93f46f365f360ef14c0bfda11499416c980c11a4154810c9853d66
Instruction ID: 8cb48cedb0f3b0e42702e6d9059508ab9c09e278db1e77458499fdf31fe05360
Opcode Fuzzy Hash: 663f98d2bd93f46f365f360ef14c0bfda11499416c980c11a4154810c9853d66
Instruction Fuzzy Hash: EF316E71D0122EBBDB208B55DC88EFFBB7EEF45764F000166F905E6340DA349A46DAA0

Function 006BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006BE6B4

Part of subcall function 0066E551: timeGetTime.WINMM(?,?,006BE6D4), ref: 0066E555

Sleep.KERNEL32(0000000A), ref: 006BE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 006BE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006BE727
SetActiveWindow.USER32 ref: 006BE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006BE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 006BE773
Sleep.KERNEL32(000000FA), ref: 006BE77E
IsWindow.USER32 ref: 006BE78A
EndDialog.USER32(00000000), ref: 006BE79B

Strings

BUTTON, xrefs: 006BE719

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ba64ac5c6eb47800aa1ea3cebcfcd5ad7a11cef4e0b62ce5b17a9fcb78949c90
Instruction ID: c02a2db68264ccba5af67e44657518b315ad75dc399221cbb37f36084a210916
Opcode Fuzzy Hash: ba64ac5c6eb47800aa1ea3cebcfcd5ad7a11cef4e0b62ce5b17a9fcb78949c90
Instruction Fuzzy Hash: B02150B1340344BFEB205F20ECC9AE63B6BBB55358B106424F815956A2DB76EC479B28

Function 006BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006BEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006BEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006BEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006BEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006BEAA7

Strings

play PlayMe, xrefs: 006BEAA2
play PlayMe wait, xrefs: 006BEA91
status PlayMe mode, xrefs: 006BEA58
alias PlayMe, xrefs: 006BEA36
open , xrefs: 006BEA0C
close PlayMe, xrefs: 006BEA6E, 006BEA9B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c0e141a38d2c1d8a0a0b8493fb7a2809a98f4ee36ffddf57809f46b129b60dba
Instruction ID: a26dc3c4bfcfd83c998bac144b0ec1046f1e3593ef8f17c70f98b4902938e5ce
Opcode Fuzzy Hash: c0e141a38d2c1d8a0a0b8493fb7a2809a98f4ee36ffddf57809f46b129b60dba
Instruction Fuzzy Hash: 8A1182B1A902697AD720A7A5DC4ADFF6B7DEFD1F40F40042DB811A20D1EEB41D89C6B0

Function 006B5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 006B5CE2
GetWindowRect.USER32(00000000,?), ref: 006B5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 006B5D59
GetDlgItem.USER32(?,00000002), ref: 006B5D69
GetWindowRect.USER32(00000000,?), ref: 006B5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 006B5DCF
GetDlgItem.USER32(?,000003E9), ref: 006B5DDD
GetWindowRect.USER32(00000000,?), ref: 006B5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 006B5E31
GetDlgItem.USER32(?,000003EA), ref: 006B5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006B5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 006B5E67

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6d313f632198790d537b97255f39d2dbccd2c1ede5a5a58e4240901ef6362942
Instruction ID: ad39ff11da20d2c667108ee2e0fdf788571818be96649216700c2f0f3098af68
Opcode Fuzzy Hash: 6d313f632198790d537b97255f39d2dbccd2c1ede5a5a58e4240901ef6362942
Instruction Fuzzy Hash: F7510DB0A00715AFDF18CF68CD99AEE7BB6AF48310F148229F916E7290D7709E418B50

Function 00668BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00668F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00668BE8,?,00000000,?,?,?,?,00668BBA,00000000,?), ref: 00668FC5

DestroyWindow.USER32(?), ref: 00668C81
KillTimer.USER32(00000000,?,?,?,?,00668BBA,00000000,?), ref: 00668D1B
DestroyAcceleratorTable.USER32(00000000), ref: 006A6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00668BBA,00000000,?), ref: 006A69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00668BBA,00000000,?), ref: 006A69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00668BBA,00000000), ref: 006A69D4
DeleteObject.GDI32(00000000), ref: 006A69E6

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e0c4351073478a8213359ef466746b08eda6025564bdbbc6bfed97f7b4aaa582
Instruction ID: eddff14ef2ac4f1c362657b5531bd52657147baad6c800bbc85ef829af68a4f7
Opcode Fuzzy Hash: e0c4351073478a8213359ef466746b08eda6025564bdbbc6bfed97f7b4aaa582
Instruction Fuzzy Hash: A9619A31102740DFCB359F24C998B6677B3FB55322F58961CE0829B660CB35AC92CFA4

Function 00669838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00669944: GetWindowLongW.USER32(?,000000EB), ref: 00669952

GetSysColor.USER32(0000000F), ref: 00669862

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d8876057bf905c8501932faadb177efb5459ff69f4fdc13b6e23f53b781618a4
Instruction ID: 67ec78bf530759793eb0192a88d367c7891c02f934e2cef3040617cac94593b1
Opcode Fuzzy Hash: d8876057bf905c8501932faadb177efb5459ff69f4fdc13b6e23f53b781618a4
Instruction Fuzzy Hash: 26417F315047449FDB205F389C88BF93BABAB56371F144A59FDA28B2E1D6319C42DB20

Function 006B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0069F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 006B9717
LoadStringW.USER32(00000000,?,0069F7F8,00000001), ref: 006B9720

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0069F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 006B9742
LoadStringW.USER32(00000000,?,0069F7F8,00000001), ref: 006B9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 006B9866

Strings

Line %d:, xrefs: 006B97A0
^ ERROR, xrefs: 006B97FB
%s (%d) : ==> %s: %s %s, xrefs: 006B984A
Line %d (File "%s"):, xrefs: 006B978F
Error: , xrefs: 006B981D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3867e6846556d4bd252c5f43ce06cead8fecb2533e7bc0517629ba217e667741
Instruction ID: 8443bee71c4e3dae157a5e593585029862936286509e3afa03452bb9287078de
Opcode Fuzzy Hash: 3867e6846556d4bd252c5f43ce06cead8fecb2533e7bc0517629ba217e667741
Instruction Fuzzy Hash: C2416FB2800219AACF44EBE0CD82DEE777AAF15741F600469FA0572192EB356F49CB75

Function 006B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00656B57: _wcslen.LIBCMT ref: 00656B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006B07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006B07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006B07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 006B0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 006B082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006B0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006B083C

Strings

\IPC$, xrefs: 006B0784
\CLSID, xrefs: 006B0724
SOFTWARE\Classes\, xrefs: 006B070E

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 9d08a90c6a5e143840dddcc8080edf66304ac1a24f4f0b21113f6312dbc4dcfd
Instruction ID: 39a0df872840b0168b505fc605496707c313e3c83ff06119ae408fb973703dd6
Opcode Fuzzy Hash: 9d08a90c6a5e143840dddcc8080edf66304ac1a24f4f0b21113f6312dbc4dcfd
Instruction Fuzzy Hash: E7410AB1C10229EBDF15EB94DC958EEB77AFF44750F044129F901A72A1EB305E49CBA0

Function 006D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006D3C5C
CoInitialize.OLE32(00000000), ref: 006D3C8A
CoUninitialize.OLE32 ref: 006D3C94
_wcslen.LIBCMT ref: 006D3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 006D3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 006D3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 006D3F0E
CoGetObject.OLE32(?,00000000,006EFB98,?), ref: 006D3F2D
SetErrorMode.KERNEL32(00000000), ref: 006D3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006D3FC4
VariantClear.OLEAUT32(?), ref: 006D3FD8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 637da1ae604d7dd6b231a39334b96d3ba027e5c6942ea4a03adb0d1c8c3c66a6
Instruction ID: 683d9dd1004aa69329b66af9258b367a420ae725af4b6a30c7917b00bec78aee
Opcode Fuzzy Hash: 637da1ae604d7dd6b231a39334b96d3ba027e5c6942ea4a03adb0d1c8c3c66a6
Instruction Fuzzy Hash: 8DC11371A083159FD700DF68C88496BBBEAAF89744F14491EF9899B351DB30EE06CB52

Function 006C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006C7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006C7B8F
SHGetDesktopFolder.SHELL32(?), ref: 006C7BA3
CoCreateInstance.OLE32(006EFD08,00000000,00000001,00716E6C,?), ref: 006C7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006C7C74
CoTaskMemFree.OLE32(?,?), ref: 006C7CCC
SHBrowseForFolderW.SHELL32(?), ref: 006C7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006C7D7A
CoTaskMemFree.OLE32(00000000), ref: 006C7D81
CoTaskMemFree.OLE32(00000000), ref: 006C7DD6
CoUninitialize.OLE32 ref: 006C7DDC

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: af3535b3f0c59fa374f33c78d2a344fa6d687bcab3f56c739561ce5fd4491ebf
Instruction ID: 80b320b1f89d62d3a09eba4934982fd59cd91aec0974da1f8fd5157900d8c27f
Opcode Fuzzy Hash: af3535b3f0c59fa374f33c78d2a344fa6d687bcab3f56c739561ce5fd4491ebf
Instruction Fuzzy Hash: F6C1E975A04209AFCB14DFA4C884DAEBBBAFF48315F148499E81A9B361D730ED45CF94

Function 006E541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006E5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006E5515
CharNextW.USER32(00000158), ref: 006E5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006E5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006E559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006E55AC

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: da528e7ef3f26b8559d901d68f0f5ee8bb5a40d676b985e31e1114f97c0bbeac
Instruction ID: 08b08a389a48b47e6613c5c5d9aa2891621dfcb7f456f93500133c88ce98c00f
Opcode Fuzzy Hash: da528e7ef3f26b8559d901d68f0f5ee8bb5a40d676b985e31e1114f97c0bbeac
Instruction Fuzzy Hash: DB619030902789EFDF109F56CC849FE7BBAEB05728F104145F926AB291D7748A82DB61

Function 006AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006AFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 006AFB08
VariantInit.OLEAUT32(?), ref: 006AFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 006AFB3A
VariantCopy.OLEAUT32(?,?), ref: 006AFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 006AFBA1
VariantClear.OLEAUT32(?), ref: 006AFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 006AFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006AFBCC
VariantClear.OLEAUT32(?), ref: 006AFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006AFBE9

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3cf9e71ee673e3e1343126a1a2c3639447f38fae6c761f50b2fd193ba0e68d7a
Instruction ID: 92896541e80692b30bd111c05929e5f2833638e7cd5321740b2a7142ac9c1e68
Opcode Fuzzy Hash: 3cf9e71ee673e3e1343126a1a2c3639447f38fae6c761f50b2fd193ba0e68d7a
Instruction Fuzzy Hash: 83412335900219DFCB00EFA4D894DEDBBBAFF49354F008069E955AB261DB30AD46CFA1

Function 006B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006B9CA1
GetAsyncKeyState.USER32(000000A0), ref: 006B9D22
GetKeyState.USER32(000000A0), ref: 006B9D3D
GetAsyncKeyState.USER32(000000A1), ref: 006B9D57
GetKeyState.USER32(000000A1), ref: 006B9D6C
GetAsyncKeyState.USER32(00000011), ref: 006B9D84
GetKeyState.USER32(00000011), ref: 006B9D96
GetAsyncKeyState.USER32(00000012), ref: 006B9DAE
GetKeyState.USER32(00000012), ref: 006B9DC0
GetAsyncKeyState.USER32(0000005B), ref: 006B9DD8
GetKeyState.USER32(0000005B), ref: 006B9DEA

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e2bc0540c8a21c4936c2b12ee4ff0f4fd02c333a622c6e4e52782c4eaae3e536
Instruction ID: 309bc8f29fece07833e18565f2f08a8e3c0b72021326ced35dba4b084f65b4e1
Opcode Fuzzy Hash: e2bc0540c8a21c4936c2b12ee4ff0f4fd02c333a622c6e4e52782c4eaae3e536
Instruction Fuzzy Hash: 6641FAB4504BC96DFF31876188453F5BEA36F11344F44805ADBC65A7C2EBA4A9C8CBB2

Function 006D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006D05BC
inet_addr.WSOCK32(?), ref: 006D061C
gethostbyname.WSOCK32(?), ref: 006D0628
IcmpCreateFile.IPHLPAPI ref: 006D0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006D06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006D06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 006D07B9
WSACleanup.WSOCK32 ref: 006D07BF

Strings

Ping, xrefs: 006D0676

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c3d69e775f3674f46d5771af103c156c2fe7b669ce9dc0814eb3ef081a035f82
Instruction ID: e260601642c9f005a47192cedde05f3d1c2d62b7fd2d906a5690a071b1f2b4ae
Opcode Fuzzy Hash: c3d69e775f3674f46d5771af103c156c2fe7b669ce9dc0814eb3ef081a035f82
Instruction Fuzzy Hash: 36917E359043419FE720DF15D888F5ABBE2AF44318F1485AAE8698F7A2C730ED45CF91

Function 006D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 006D8CF3

Part of subcall function 006B8E54: _wcslen.LIBCMT ref: 006B8E77

_wcslen.LIBCMT ref: 006D8D4E
_wcslen.LIBCMT ref: 006D8D9C
_wcslen.LIBCMT ref: 006D8DDC
_wcslen.LIBCMT ref: 006D8E6E

Strings

stdcall, xrefs: 006D8DD6, 006D8DDB
cdecl, xrefs: 006D8D48, 006D8D4D
winapi, xrefs: 006D8D96, 006D8D9B
none, xrefs: 006D8E65, 006D8E6A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 1f75e2144166f9b95bfd9fba4c83cb9eade724b88069528e485ad232ba384028
Instruction ID: d8606efebedf1b33916668a7f2392686f7f4266d9d6ef04ed0da87b7fa4af3f7
Opcode Fuzzy Hash: 1f75e2144166f9b95bfd9fba4c83cb9eade724b88069528e485ad232ba384028
Instruction Fuzzy Hash: C9518D31E001169FCB24DF68C9559FEB7B7AF64720B20422AE826A73C5EB34DD41CB90

Function 006D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 006D3774
CoUninitialize.OLE32 ref: 006D377F
CoCreateInstance.OLE32(?,00000000,00000017,006EFB78,?), ref: 006D37D9
IIDFromString.OLE32(?,?), ref: 006D384C
VariantInit.OLEAUT32(?), ref: 006D38E4
VariantClear.OLEAUT32(?), ref: 006D3936

Strings

Failed to create object, xrefs: 006D37E4, 006D389A
NULL Pointer assignment, xrefs: 006D381E
Invalid parameter, xrefs: 006D3865

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 6ed37beb825f7174c13f7f7bda11ca71c18d7e08c59334bc7a0eb09b9d7bf9ad
Instruction ID: ae19b54243b789900f48716b10a841b693b1a7b52fa0cc15bead912265d2af49
Opcode Fuzzy Hash: 6ed37beb825f7174c13f7f7bda11ca71c18d7e08c59334bc7a0eb09b9d7bf9ad
Instruction Fuzzy Hash: 0D619EB1A08711AFD310DF54C888F9ABBE6AF49710F00080EF9859B391D770EE49DB96

Function 006E8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00669BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00669BB2

Part of subcall function 0066912D: GetCursorPos.USER32(?), ref: 00669141
Part of subcall function 0066912D: ScreenToClient.USER32(00000000,?), ref: 0066915E
Part of subcall function 0066912D: GetAsyncKeyState.USER32(00000001), ref: 00669183
Part of subcall function 0066912D: GetAsyncKeyState.USER32(00000002), ref: 0066919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 006E8B6B
ImageList_EndDrag.COMCTL32 ref: 006E8B71
ReleaseCapture.USER32 ref: 006E8B77
SetWindowTextW.USER32(?,00000000), ref: 006E8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006E8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 006E8CFF

Strings

@GUI_DRAGFILE, xrefs: 006E8C9A
@GUI_DROPID, xrefs: 006E8C51
p#r, xrefs: 006E8C71

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#r
API String ID: 1924731296-3263970365
Opcode ID: 34a8f407cc1cdf47513cb67a1fbd9da5bcbddccee9838e6d4f00190188335d05
Instruction ID: 3108a7ccbb15390ff12f07ff163f2562fb566beaafca298425bae25e9373619f
Opcode Fuzzy Hash: 34a8f407cc1cdf47513cb67a1fbd9da5bcbddccee9838e6d4f00190188335d05
Instruction Fuzzy Hash: 8C51DF70105380AFD704DF24DC96FAA77E6FB88710F50062DF996A72E1CB30A945CB66

Function 006C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006C33CF

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006C33F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 006C3504
"%s" (%d) : ==> %s:, xrefs: 006C3522
^ ERROR , xrefs: 006C349E
Line %d (File "%s"):, xrefs: 006C3443, 006C345C
Error: , xrefs: 006C34D1
Incorrect parameters to object property !, xrefs: 006C34AB

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 4f3cc76f3034ac3b5fb0099a40131e686c91468ad0b50cffed4893c2cfde2175
Instruction ID: 5ba4428beab7a939c1f6cbe09fc0fd7aaac2edb40a75487c00743d5c68a56894
Opcode Fuzzy Hash: 4f3cc76f3034ac3b5fb0099a40131e686c91468ad0b50cffed4893c2cfde2175
Instruction Fuzzy Hash: CA51D472900219AACF54EBE0CD42EFEB77AEF14741F508069F90572192EB352F99CB64

Function 006BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006BB5FC
_wcslen.LIBCMT ref: 006BB608
_wcslen.LIBCMT ref: 006BB64D
_wcslen.LIBCMT ref: 006BB68C
_wcslen.LIBCMT ref: 006BB6C7

Strings

KEYS, xrefs: 006BB647, 006BB64C
REMOVE, xrefs: 006BB602, 006BB607
EXISTS, xrefs: 006BB686, 006BB68B
APPEND, xrefs: 006BB6C1, 006BB6C6

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 53ee9d9370d1f9c1dd63696a676115aa384a09b3b0e62dad7dc441d9952195a0
Instruction ID: 02a38c614ae2497e552f6ed74c254dfad5b03a1f960853fe3238df1857b66fc9
Opcode Fuzzy Hash: 53ee9d9370d1f9c1dd63696a676115aa384a09b3b0e62dad7dc441d9952195a0
Instruction Fuzzy Hash: 2F41C4B2A001269BCB205F7D8C905FE77A7ABA1754B245229E425DB384FB75CDC2C790

Function 006C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006C53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006C5416
GetLastError.KERNEL32 ref: 006C5420
SetErrorMode.KERNEL32(00000000,READY), ref: 006C54A7

Strings

INVALID, xrefs: 006C5459
UNKNOWN, xrefs: 006C5444
NOTREADY, xrefs: 006C544B
READONLY, xrefs: 006C5452
READY, xrefs: 006C5460, 006C5468

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 2884ace7b66325ac1660f64ed57277a2b3b6eca817c13c16520f0d9b8d2cd311
Instruction ID: ed3cc6ff74742522545ca2a7adc7c8bac353d35be51aa4ddd428e02a7e58382b
Opcode Fuzzy Hash: 2884ace7b66325ac1660f64ed57277a2b3b6eca817c13c16520f0d9b8d2cd311
Instruction Fuzzy Hash: 3A314C75A006049FC714DF68C888FF97BE6EB45305F148069E806DB292DA75EDC6CB90

Function 006E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 006E3C79
SetMenu.USER32(?,00000000), ref: 006E3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006E3D10
IsMenu.USER32(?), ref: 006E3D24
CreatePopupMenu.USER32 ref: 006E3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006E3D5B
DrawMenuBar.USER32 ref: 006E3D63

Strings

0, xrefs: 006E3C54
F, xrefs: 006E3D4E

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: c56d5c6743a9104eea619158b3c6102150ef2e0f1d92a5723f3ce15b46f8cbbc
Instruction ID: 45aa606a3a49f4f034d5ffec93494aa6b495503c62595addc567e6965759a6ad
Opcode Fuzzy Hash: c56d5c6743a9104eea619158b3c6102150ef2e0f1d92a5723f3ce15b46f8cbbc
Instruction Fuzzy Hash: 7C416D75A02359EFDB14CF65D888AEA77B6FF49350F144028F9469B3A0D730AA21CF94

Function 006E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006E3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006E3AA0
GetWindowLongW.USER32(?,000000F0), ref: 006E3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006E3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006E3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 006E3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 006E3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 006E3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 006E3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 006E3C13

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 1a445411a3d86207bec8fe381e6ce3a58e92e72cdcc58480b290e2060c6e53da
Instruction ID: 5d9d9cffa6f59b09425edb63059cb8815b469a7ae9b056bdfccd3771c6eedcc1
Opcode Fuzzy Hash: 1a445411a3d86207bec8fe381e6ce3a58e92e72cdcc58480b290e2060c6e53da
Instruction Fuzzy Hash: EE619B75900398AFDB20CFA8CC85EEE77B9EB09710F104099FA05A7391C774AA86DB50

Function 006BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006BB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,006BA1E1,?,00000001), ref: 006BB165
GetWindowThreadProcessId.USER32(00000000), ref: 006BB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006BA1E1,?,00000001), ref: 006BB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 006BB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,006BA1E1,?,00000001), ref: 006BB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006BA1E1,?,00000001), ref: 006BB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006BA1E1,?,00000001), ref: 006BB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,006BA1E1,?,00000001), ref: 006BB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,006BA1E1,?,00000001), ref: 006BB21D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 205470e9e4b1bd8133c5bdaec3c907e6eed98d01a2dcbc1dbca2d9f8b3809c56
Instruction ID: 2872be8763bcae0db6b366e5096c230b6be4cff03a0c8c922d888e3305b85447
Opcode Fuzzy Hash: 205470e9e4b1bd8133c5bdaec3c907e6eed98d01a2dcbc1dbca2d9f8b3809c56
Instruction Fuzzy Hash: 46314FB5610204AFDB209F64DC84FFE7BABEB51321F14A015F915DA290D7B89E828F64

Function 00682C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00682C94

Part of subcall function 006829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0068D7D1,00000000,00000000,00000000,00000000,?,0068D7F8,00000000,00000007,00000000,?,0068DBF5,00000000), ref: 006829DE
Part of subcall function 006829C8: GetLastError.KERNEL32(00000000,?,0068D7D1,00000000,00000000,00000000,00000000,?,0068D7F8,00000000,00000007,00000000,?,0068DBF5,00000000,00000000), ref: 006829F0

_free.LIBCMT ref: 00682CA0
_free.LIBCMT ref: 00682CAB
_free.LIBCMT ref: 00682CB6
_free.LIBCMT ref: 00682CC1
_free.LIBCMT ref: 00682CCC
_free.LIBCMT ref: 00682CD7
_free.LIBCMT ref: 00682CE2
_free.LIBCMT ref: 00682CED
_free.LIBCMT ref: 00682CFB

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b9d3b683d0c2bf10045ab361d816f3e6f9a3357953f6ce3fb103d962275d0525
Instruction ID: 37a2fa14f4dea81b8adac081404ee4bf63ba5a5b388ead78e8ce01dded16ed5b
Opcode Fuzzy Hash: b9d3b683d0c2bf10045ab361d816f3e6f9a3357953f6ce3fb103d962275d0525
Instruction Fuzzy Hash: 0D11D476100109AFCF82FF55D892CDD3BA6FF05750F4246A8FA489F222DA35EE509B94

Function 00651410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00651459
OleUninitialize.OLE32(?,00000000), ref: 006514F8
UnregisterHotKey.USER32(?), ref: 006516DD
DestroyWindow.USER32(?), ref: 006924B9
FreeLibrary.KERNEL32(?), ref: 0069251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0069254B

Strings

close all, xrefs: 00651454

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 913d87163322ef826e8a50c06f3ef22003ee2d869d6b8229908d8726cd04bf59
Instruction ID: 28c34b492536f24f359584fb1bae0c7815e34c048c74b945109e4133d1577069
Opcode Fuzzy Hash: 913d87163322ef826e8a50c06f3ef22003ee2d869d6b8229908d8726cd04bf59
Instruction Fuzzy Hash: 5BD199307022129FCB19EF14C8A8B68F7A6BF05711F1141ADE84A6B652CB30AD17CF54

Function 00655BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00655C7A

Part of subcall function 00655D0A: GetClientRect.USER32(?,?), ref: 00655D30
Part of subcall function 00655D0A: GetWindowRect.USER32(?,?), ref: 00655D71
Part of subcall function 00655D0A: ScreenToClient.USER32(?,?), ref: 00655D99

GetDC.USER32 ref: 006946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00694708
SelectObject.GDI32(00000000,00000000), ref: 00694716
SelectObject.GDI32(00000000,00000000), ref: 0069472B
ReleaseDC.USER32(?,00000000), ref: 00694733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006947C4

Strings

U, xrefs: 00694693

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 03378a5fb818272797061f0067fa8cfe546ffaa08a6f2fe3e6a16be974529062
Instruction ID: 61d287ad58591874cbfead99be587787e1861bddd0ecdf995e8c359c3eb77c15
Opcode Fuzzy Hash: 03378a5fb818272797061f0067fa8cfe546ffaa08a6f2fe3e6a16be974529062
Instruction Fuzzy Hash: 9B71AC31400209DFCF218FA4C984EFA7BBBFF4A365F144269ED565A666CB319882DF50

Function 006C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006C35E4

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

LoadStringW.USER32(00722390,?,00000FFF,?), ref: 006C360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 006C3724
^ ERROR, xrefs: 006C36C9
"%s" (%d) : ==> %s:, xrefs: 006C3742
Line %d (File "%s"):, xrefs: 006C366B
Error: , xrefs: 006C36EF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: d42671aa99c2551266909c801787b007e7a075bccc080bf4c656560477ba85f9
Instruction ID: 9bcbb1266793ee0cd10c66c65f558c622ecf0679baa4adaab6d3fd359dc58ffc
Opcode Fuzzy Hash: d42671aa99c2551266909c801787b007e7a075bccc080bf4c656560477ba85f9
Instruction Fuzzy Hash: C951A371800259BACF54EBA0CC42EEDBB76EF14301F54412DF505722A2DB311B99CFA8

Function 006CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006CC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006CC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006CC2CA
GetLastError.KERNEL32 ref: 006CC322
SetEvent.KERNEL32(?), ref: 006CC336
InternetCloseHandle.WININET(00000000), ref: 006CC341

Strings

, xrefs: 006CC2BB

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d21bfe09543be6b4cbafa19429e1a60e0161329f3bcf34153e7b5953018ee796
Instruction ID: 0dd4e7102ea74cdbfbd8e39fea8cc5b678bc5543d48a38b8a6f2e1ddb6956f60
Opcode Fuzzy Hash: d21bfe09543be6b4cbafa19429e1a60e0161329f3bcf34153e7b5953018ee796
Instruction Fuzzy Hash: D1318DB1600344AFDB219F649888FBB7BFEEB49760B14851EF44E97201DB34DD468B61

Function 006B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00693AAF,?,?,Bad directive syntax error,006ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 006B98BC
LoadStringW.USER32(00000000,?,00693AAF,?), ref: 006B98C3

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 006B9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 006B98F1
Line %d:, xrefs: 006B9912
., xrefs: 006B996D
Error: , xrefs: 006B9955
Line %d (File "%s"):, xrefs: 006B992D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 5ac1e092f7084baee30c567e093a0edfa99d8c6a7827488a4ef90439556d54d8
Instruction ID: 0ceea919c73959623d3e5bb39f7e6a56cdeaf2fcf3f0ecca097bb2535983ef5c
Opcode Fuzzy Hash: 5ac1e092f7084baee30c567e093a0edfa99d8c6a7827488a4ef90439556d54d8
Instruction Fuzzy Hash: 8421B17180025EEBCF55AF90CC06EEE7736FF18701F044429F915660A2EB319658CB24

Function 006B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 006B20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 006B20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006B214D

Strings

largeicons, xrefs: 006B20E1
smallicons, xrefs: 006B2115
SHELLDLL_DefView, xrefs: 006B20CC
list, xrefs: 006B212F
details, xrefs: 006B20FB

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: e6c07aef0dabb09e70c86b5d41777fdae6e743cd41793bafbd9f9e0a08050837
Instruction ID: d6f98f37cf39b4f03f5a070cc538071893c34a1439f97d24b9bab33e27f68eba
Opcode Fuzzy Hash: e6c07aef0dabb09e70c86b5d41777fdae6e743cd41793bafbd9f9e0a08050837
Instruction Fuzzy Hash: BE1136F6688307B9F7156228DC1ACE733DECB05324B20401AFB08E40D1EE6968C25B18

Function 0068CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0068CEB7
_free.LIBCMT ref: 0068CF22
_free.LIBCMT ref: 0068CF48
_free.LIBCMT ref: 0068CF71
_free.LIBCMT ref: 0068CFA9
_free.LIBCMT ref: 0068CFDA
_free.LIBCMT ref: 0068D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0068D09C
_free.LIBCMT ref: 0068D0B5

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 06bed5bfb709cdb6cd1eaed75daad789a23703cdd575483f78d4fe227051f7f7
Instruction ID: 1c76ea8e47d97b5e4dbf84f0e90ecc1a9f2f85c8c69c668c23fed771bd1c0118
Opcode Fuzzy Hash: 06bed5bfb709cdb6cd1eaed75daad789a23703cdd575483f78d4fe227051f7f7
Instruction Fuzzy Hash: 58610BB1A05301AFEF31BFB49855AA97BA7EF05320F14436EFA4497382D6359D0287B4

Function 006E50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 006E5186
ShowWindow.USER32(?,00000000), ref: 006E51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 006E51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 006E51D1

Part of subcall function 006E6FBA: DeleteObject.GDI32(00000000), ref: 006E6FE6

GetWindowLongW.USER32(?,000000F0), ref: 006E520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006E521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006E524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 006E5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 006E5296

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 289fd64a2e9ac5cb62ace5a1a87b55f62c8ad09730e8ab3434e1f64744260bd1
Instruction ID: a1bde858da8eefc56f5182d47ad68202a95029b79f7d7a4876aa18943a931fbe
Opcode Fuzzy Hash: 289fd64a2e9ac5cb62ace5a1a87b55f62c8ad09730e8ab3434e1f64744260bd1
Instruction Fuzzy Hash: 3C51B530A52B88BFEF209F26CC45BD93B67FB05329F148015FA169A3E1C3759A81DB41

Function 00668B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 006A6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006A68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006A68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006A68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006A68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00668874,00000000,00000000,00000000,000000FF,00000000), ref: 006A6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006A691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00668874,00000000,00000000,00000000,000000FF,00000000), ref: 006A692D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 5b519791c292dd613191cc357dbea5a4bb7e088526e55660b891934aa07cb4d2
Instruction ID: cbc6a2c90ae81fec8042f04b5a98bac95a6e6cfdbd2e34810b401705293ae5de
Opcode Fuzzy Hash: 5b519791c292dd613191cc357dbea5a4bb7e088526e55660b891934aa07cb4d2
Instruction Fuzzy Hash: A55168B0600309EFDB20DF24CC95FAA7BB6FB58760F144618F9569B2A0DB70AD91DB50

Function 006CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006CC182
GetLastError.KERNEL32 ref: 006CC195
SetEvent.KERNEL32(?), ref: 006CC1A9

Part of subcall function 006CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006CC272
Part of subcall function 006CC253: GetLastError.KERNEL32 ref: 006CC322
Part of subcall function 006CC253: SetEvent.KERNEL32(?), ref: 006CC336
Part of subcall function 006CC253: InternetCloseHandle.WININET(00000000), ref: 006CC341

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: f47cc3a761125de72a1a8be5b47582e81045b6d8477dea198198bd9cee3ab2ad
Instruction ID: 2fb80f19d8eaa27dd2e1c91121020cf1cbeccc4470d50f934d445d71b3285b5a
Opcode Fuzzy Hash: f47cc3a761125de72a1a8be5b47582e81045b6d8477dea198198bd9cee3ab2ad
Instruction Fuzzy Hash: A1319A71600741AFDB219FA5DC48FB6BBEAFF18320B04441DF95A87610C734EA169BA0

Function 006B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006B3A57
Part of subcall function 006B3A3D: GetCurrentThreadId.KERNEL32 ref: 006B3A5E
Part of subcall function 006B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006B25B3), ref: 006B3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 006B25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006B25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 006B25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 006B25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006B2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 006B2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 006B260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006B2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 006B2627

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1d15e983f265e9dda18a8195b92ece93e223f900aba25986f5329c9bac1c2b92
Instruction ID: 93006d28a02ce1007c137b9e5b0f2b9f09c72d0ac6173bfd370aa9098e74d0f6
Opcode Fuzzy Hash: 1d15e983f265e9dda18a8195b92ece93e223f900aba25986f5329c9bac1c2b92
Instruction Fuzzy Hash: DC01D871390360BBFB206769DCCAF9A3F5ADB4EB22F101015F314AE1D1C9E114859A69

Function 006B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,006B1449,?,?,00000000), ref: 006B180C
HeapAlloc.KERNEL32(00000000,?,006B1449,?,?,00000000), ref: 006B1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006B1449,?,?,00000000), ref: 006B1828
GetCurrentProcess.KERNEL32(?,00000000,?,006B1449,?,?,00000000), ref: 006B1830
DuplicateHandle.KERNEL32(00000000,?,006B1449,?,?,00000000), ref: 006B1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006B1449,?,?,00000000), ref: 006B1843
GetCurrentProcess.KERNEL32(006B1449,00000000,?,006B1449,?,?,00000000), ref: 006B184B
DuplicateHandle.KERNEL32(00000000,?,006B1449,?,?,00000000), ref: 006B184E
CreateThread.KERNEL32(00000000,00000000,006B1874,00000000,00000000,00000000), ref: 006B1868

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 918367fc0e8b81dc4c440407d3bdf2c39be7698a68f3f7f5fb5c3fcee0653402
Instruction ID: bde031508723f2e651ea4d9183ef5c6a8f50ddc48f52728352c75e23d70ff0f8
Opcode Fuzzy Hash: 918367fc0e8b81dc4c440407d3bdf2c39be7698a68f3f7f5fb5c3fcee0653402
Instruction Fuzzy Hash: 5501BBB5250348BFE710ABA5DC8DFAB3BADEB89B11F415411FA05DF1A1CA709801CB20

Function 006DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 006BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 006BD501
Part of subcall function 006BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 006BD50F
Part of subcall function 006BD4DC: CloseHandle.KERNEL32(00000000), ref: 006BD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 006DA16D
GetLastError.KERNEL32 ref: 006DA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 006DA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 006DA268
GetLastError.KERNEL32(00000000), ref: 006DA273
CloseHandle.KERNEL32(00000000), ref: 006DA2C4

Strings

SeDebugPrivilege, xrefs: 006DA18F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 88c1685b7706fef62e1c6b964c32d028533f2fe3c93f0924cb77c442a69200dc
Instruction ID: 29a0ebd954fd8cbf2ae9519bd4de5e63cfac72441b0dbe4e89677804f4aaa82e
Opcode Fuzzy Hash: 88c1685b7706fef62e1c6b964c32d028533f2fe3c93f0924cb77c442a69200dc
Instruction Fuzzy Hash: 0C61B1706082429FD710DF59C894F55BBE2AF44318F18849DE4664F7A3C772ED4ACB92

Function 006E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006E3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 006E393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006E3954
_wcslen.LIBCMT ref: 006E3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 006E39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006E39F4

Strings

SysListView32, xrefs: 006E38F7

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 5bb3831330d1b7cf88b17d602ff3bb5780db626d589c7b11c8a6b7d375ce0f20
Instruction ID: 194cf10f26c2a2e922a10a91a842d5c52d59635a1ecfbbb3ee3e4e669fea9b25
Opcode Fuzzy Hash: 5bb3831330d1b7cf88b17d602ff3bb5780db626d589c7b11c8a6b7d375ce0f20
Instruction Fuzzy Hash: 8041C371A00369ABDF219F65CC49BEB77AAEF08350F10012AF948E7381D7759A85CB90

Function 006BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006BBCFD
IsMenu.USER32(00000000), ref: 006BBD1D
CreatePopupMenu.USER32 ref: 006BBD53
GetMenuItemCount.USER32(00D85C40), ref: 006BBDA4
InsertMenuItemW.USER32(00D85C40,?,00000001,00000030), ref: 006BBDCC

Strings

0, xrefs: 006BBCA8
2, xrefs: 006BBD37

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 25db1feac33698a062707ffe361532df14d21eaab4ed97beb6ab86a4bcd39193
Instruction ID: 8de81548eb528e8948ec103541223f56bd5679690f84018777a59ae584caaab1
Opcode Fuzzy Hash: 25db1feac33698a062707ffe361532df14d21eaab4ed97beb6ab86a4bcd39193
Instruction Fuzzy Hash: B651ADB0A00305DBDF20CFA8D8C4BEEBBF6AF45324F146219E4119B391D7B89981CB61

Function 00672D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00672D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00672D53
_ValidateLocalCookies.LIBCMT ref: 00672DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00672E0C
_ValidateLocalCookies.LIBCMT ref: 00672E61

Strings

csm, xrefs: 00672DF6
&Hg, xrefs: 00672DFE, 00672E07, 00672E18

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hg$csm
API String ID: 1170836740-2821860413
Opcode ID: 908a3242a8003fd113829ff961cb96749af7c19af0b55e5a83ebe46263baf016
Instruction ID: cb1a0a967e69de52409cace6cd1779085ca1fd51ddd6d7b4315ca054ee5abbb3
Opcode Fuzzy Hash: 908a3242a8003fd113829ff961cb96749af7c19af0b55e5a83ebe46263baf016
Instruction Fuzzy Hash: 5A417334E0021A9BCF20DF68CC65ADEBBB7BF45324F14C159E9186B392D731AA45CB91

Function 006BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006BC913

Strings

info, xrefs: 006BC8B4
blank, xrefs: 006BC895
question, xrefs: 006BC8CC
warning, xrefs: 006BC8FC
stop, xrefs: 006BC8E4

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 63792f85694c97050c8ae8c4f2bbfda7245ecda98e1bfa8879e4d05990468be6
Instruction ID: 8fb7ff1646eae8abdd9635a346fe73b730789d9af23bd082bf8e68907c930f8a
Opcode Fuzzy Hash: 63792f85694c97050c8ae8c4f2bbfda7245ecda98e1bfa8879e4d05990468be6
Instruction Fuzzy Hash: 2A113DB1689307BAF700AB189C83CEA279DDF15734B10402EF504E62C2EB745FC15368

Function 006BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 006BED2A
_wcslen.LIBCMT ref: 006BED3B
_wcslen.LIBCMT ref: 006BED79
_wcslen.LIBCMT ref: 006BEDAF
_wcslen.LIBCMT ref: 006BEDDF
_wcslen.LIBCMT ref: 006BEDEF
_wcslen.LIBCMT ref: 006BEE2B
_wcslen.LIBCMT ref: 006BEE5A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 43c1b3dcb361765d0c8efa7961eff423f259852148aca93a6a327ccbfbcb34e7
Instruction ID: 4d1600347db963bf36b0f828343048172ee3e2e91e811dac15066aea761f47ea
Opcode Fuzzy Hash: 43c1b3dcb361765d0c8efa7961eff423f259852148aca93a6a327ccbfbcb34e7
Instruction Fuzzy Hash: 7E41A465D1011876CB51EBB4C88A9CFB7BAAF45310F50856AF628E3122FB34D345C3EA

Function 0066F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006A682C,00000004,00000000,00000000), ref: 0066F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,006A682C,00000004,00000000,00000000), ref: 006AF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006A682C,00000004,00000000,00000000), ref: 006AF454

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e8569e0496506cad1a7a6bb13c3ad5a7944420ed1a83a20f1c2bd547613f73a0
Instruction ID: 3e8dd00041744869577e9db6bd00ec1d0578ad7698bdb9e713c5c4d44ec6c495
Opcode Fuzzy Hash: e8569e0496506cad1a7a6bb13c3ad5a7944420ed1a83a20f1c2bd547613f73a0
Instruction Fuzzy Hash: 9F412C30108780BEDB389B69E8C87AA7BE3AB56324F14563CF09757761C631A882CB51

Function 006E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006E2D1B
GetDC.USER32(00000000), ref: 006E2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006E2D2E
ReleaseDC.USER32(00000000,00000000), ref: 006E2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006E2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006E2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 006E2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006E2DE1

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9400c7ddb19203b077b6315f845e8507bb71fef352128401393a13044b58a791
Instruction ID: 2c46d3fe46776d88a03d11d9c059c08a8fc909d24e7f9ada5ecd877faea600e8
Opcode Fuzzy Hash: 9400c7ddb19203b077b6315f845e8507bb71fef352128401393a13044b58a791
Instruction Fuzzy Hash: 44318B72202394BBEB118F558C8AFEB3BAEEF49721F044055FE089E291C6759C41CBA4

Function 006B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 006B5637
_memcmp.LIBVCRUNTIME ref: 006B5659
_memcmp.LIBVCRUNTIME ref: 006B5671
_memcmp.LIBVCRUNTIME ref: 006B5684
_memcmp.LIBVCRUNTIME ref: 006B569E
_memcmp.LIBVCRUNTIME ref: 006B56B1
_memcmp.LIBVCRUNTIME ref: 006B56C9
_memcmp.LIBVCRUNTIME ref: 006B56E4

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2164783fb890100c38a77aac52920042b6d58a595885bf24ad37c089f35efecb
Instruction ID: 8d4bb7d90ad7ee06824dc04f96edd3c8530531143d5ec095bc7fd31ccea6d95c
Opcode Fuzzy Hash: 2164783fb890100c38a77aac52920042b6d58a595885bf24ad37c089f35efecb
Instruction Fuzzy Hash: A62125B1741A0877A20456258DA2FFB334FAF21798B644035FD0A9A681FB20EE5183A8

Function 006D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 006D502E, 006D5383
Not an Object type, xrefs: 006D5007

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ce70c0133d0eb88d411d725245e7adfad2ddba788626d114a708456fe6596459
Instruction ID: 659377ed57de7fd775cfaebd97657a98a6af46bc809123657ef956f544738891
Opcode Fuzzy Hash: ce70c0133d0eb88d411d725245e7adfad2ddba788626d114a708456fe6596459
Instruction Fuzzy Hash: 8BD19F71E0060A9FDB10CF98C881BEEB7B6BF48354F15806AE916AB780E771DD45CB90

Function 00691522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,006917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 006915CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00691651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,006917FB,?,006917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006916E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006916FB

Part of subcall function 00683820: RtlAllocateHeap.NTDLL(00000000,?,00721444,?,0066FDF5,?,?,0065A976,00000010,00721440,006513FC,?,006513C6,?,00651129), ref: 00683852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00691777
__freea.LIBCMT ref: 006917A2
__freea.LIBCMT ref: 006917AE

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: a0bfd18f4efea1fc16634f866d79c21c76e0eb6323137dbadafff782514d6efa
Instruction ID: 55be38dd855cef0775269546c04611ee2f37f723e0941782348fdee284835545
Opcode Fuzzy Hash: a0bfd18f4efea1fc16634f866d79c21c76e0eb6323137dbadafff782514d6efa
Instruction Fuzzy Hash: 6391B5B2E002179ADF218EB4C891AEE7BBF9F4A710F294659E901EF681D735DC41C760

Function 006D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006D4648
VariantInit.OLEAUT32(?), ref: 006D4749
VariantClear.OLEAUT32(?), ref: 006D4753
VariantClear.OLEAUT32(?), ref: 006D47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 006D45D8, 006D4706, 006D47BE
Incorrect Object type in FOR..IN loop, xrefs: 006D472C

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 15496153844b7e1e274318963743eb7d98df346b6e8c6e86952635d069bcbc2f
Instruction ID: 6f6cdec46b3a5b84f6fc0e6dd630e6fab4c93299b964de94a90b9650c59ebc6e
Opcode Fuzzy Hash: 15496153844b7e1e274318963743eb7d98df346b6e8c6e86952635d069bcbc2f
Instruction Fuzzy Hash: E1916E71E00219ABDF24CFA5D884FEE7BBAAF45714F10855AE515AB380DB709D41CBA0

Function 006C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 006C125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 006C1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 006C12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006C12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006C135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006C13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006C1430

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 66ed1255259557a64406d3790babb42f588ee3dd028849d9cde25b2d037f24c6
Instruction ID: dcbff5b9957a56928d13afb1b3f62d4a4f54f48eb863dd3a686b5b888dbf55fb
Opcode Fuzzy Hash: 66ed1255259557a64406d3790babb42f588ee3dd028849d9cde25b2d037f24c6
Instruction Fuzzy Hash: FF91C1759002199FEB04DF94C884FBEB7B6FF46325F14802DE950EB292D778A942CB94

Function 0066948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 41ace14fa54e4566f7b8579da963997bb8174f939dbfb86d6444d50bbcbc4b8f
Instruction ID: ebaab02ff6490bf0f448cd8a67ded644121bc86145bd582bf477ff43f783b99a
Opcode Fuzzy Hash: 41ace14fa54e4566f7b8579da963997bb8174f939dbfb86d6444d50bbcbc4b8f
Instruction Fuzzy Hash: 7B910671900219EFCB10CFA9CC84AEEBBBAFF49320F144559E916B7251D775AA42CF60

Function 006D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006D396B
CharUpperBuffW.USER32(?,?), ref: 006D3A7A
_wcslen.LIBCMT ref: 006D3A8A
VariantClear.OLEAUT32(?), ref: 006D3C1F

Part of subcall function 006C0CDF: VariantInit.OLEAUT32(00000000), ref: 006C0D1F
Part of subcall function 006C0CDF: VariantCopy.OLEAUT32(?,?), ref: 006C0D28
Part of subcall function 006C0CDF: VariantClear.OLEAUT32(?), ref: 006C0D34

Strings

AUTOIT.ERROR, xrefs: 006D3A80, 006D3A85
Incorrect Parameter format, xrefs: 006D39A6, 006D3BA1

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 25fd71dac228f49a3383d622a483a0f2775dd3154f792719775319c6767d2803
Instruction ID: 39270efa2e954e5cd9546268d9ee7cecfec341b10250f495e10f437acee7721f
Opcode Fuzzy Hash: 25fd71dac228f49a3383d622a483a0f2775dd3154f792719775319c6767d2803
Instruction Fuzzy Hash: FE917B74A083119FC744DF28C48196AB7E6FF89314F14882EF8899B351DB31EE46CB96

Function 006D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 006B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006AFF41,80070057,?,?,?,006B035E), ref: 006B002B
Part of subcall function 006B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006AFF41,80070057,?,?), ref: 006B0046
Part of subcall function 006B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006AFF41,80070057,?,?), ref: 006B0054
Part of subcall function 006B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006AFF41,80070057,?), ref: 006B0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 006D4C51
_wcslen.LIBCMT ref: 006D4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 006D4DCF
CoTaskMemFree.OLE32(?), ref: 006D4DDA

Strings

NULL Pointer assignment, xrefs: 006D4E23, 006D4E52

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 8ba821566733ba797796388fed9984a9e8dcb0f7437667ff56869adf01f47ce5
Instruction ID: cabba6c6569fceadafb5883f3983f1e7464c37050f65846cf7b800a6e7c133c4
Opcode Fuzzy Hash: 8ba821566733ba797796388fed9984a9e8dcb0f7437667ff56869adf01f47ce5
Instruction Fuzzy Hash: EF91E871D00219EFDF14DFA4C891AEEB7BABF08310F10456AE915AB251EB309E45CFA0

Function 006E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006E2183
GetMenuItemCount.USER32(00000000), ref: 006E21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006E21DD
_wcslen.LIBCMT ref: 006E2213
GetMenuItemID.USER32(?,?), ref: 006E224D
GetSubMenu.USER32(?,?), ref: 006E225B

Part of subcall function 006B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006B3A57
Part of subcall function 006B3A3D: GetCurrentThreadId.KERNEL32 ref: 006B3A5E
Part of subcall function 006B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006B25B3), ref: 006B3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006E22E3

Part of subcall function 006BE97B: Sleep.KERNEL32 ref: 006BE9F3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 34b2fe5672ca2750e525ba051de5a7fc66429f32f1bb52f625f87face3756ca3
Instruction ID: 6b4c491fee5c9a8f68b2cef9f7a07fbf66ba77ecfe052b8d55b549d4c3fb6428
Opcode Fuzzy Hash: 34b2fe5672ca2750e525ba051de5a7fc66429f32f1bb52f625f87face3756ca3
Instruction Fuzzy Hash: F4717075A00346AFCB50DF65C895AAEB7F7AF48320F148459E916AB341D734EE428B90

Function 006BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 006BAEF9
GetKeyboardState.USER32(?), ref: 006BAF0E
SetKeyboardState.USER32(?), ref: 006BAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 006BAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 006BAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 006BAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006BB020

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 90abc4f2fc79a6f83040b76cb75585dde4c321a1a5fea367b617d8303bd8be93
Instruction ID: 1ca5be89aef2f0b5cc452de7dccf67c8296813edb368e9daa4574242ee728f70
Opcode Fuzzy Hash: 90abc4f2fc79a6f83040b76cb75585dde4c321a1a5fea367b617d8303bd8be93
Instruction Fuzzy Hash: 6E51DFE0A147D53DFB3692748845BFABEAA5B06304F088489E1E9459C2C3E8E8C8D751

Function 006BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 006BAD19
GetKeyboardState.USER32(?), ref: 006BAD2E
SetKeyboardState.USER32(?), ref: 006BAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006BADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006BADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006BAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006BAE38

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6fd977928f4372f8d425fb5cb825e8d53dbcbad425b021d05a1a21294deafdbc
Instruction ID: 443c0f9f64019a51ced76128afee6ee15403a94d2a1e76d9b6a05654c7be9e88
Opcode Fuzzy Hash: 6fd977928f4372f8d425fb5cb825e8d53dbcbad425b021d05a1a21294deafdbc
Instruction Fuzzy Hash: ED51C2F15047D53DFB3283A48C95BFA7EAA5F46300F088588E1D546982D2A4ECC9E762

Function 0068542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00693CD6,?,?,?,?,?,?,?,?,00685BA3,?,?,00693CD6,?,?), ref: 00685470
__fassign.LIBCMT ref: 006854EB
__fassign.LIBCMT ref: 00685506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00693CD6,00000005,00000000,00000000), ref: 0068552C
WriteFile.KERNEL32(?,00693CD6,00000000,00685BA3,00000000,?,?,?,?,?,?,?,?,?,00685BA3,?), ref: 0068554B
WriteFile.KERNEL32(?,?,00000001,00685BA3,00000000,?,?,?,?,?,?,?,?,?,00685BA3,?), ref: 00685584

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 8bc444688a5becfeaa82be1cd5871c4de5d8912e3def656886b3077a745c46d8
Instruction ID: 9c2f91ff78eb51590bfa49cd706e27a6fb07b26c7a2723f5cb4771b26b3f5c41
Opcode Fuzzy Hash: 8bc444688a5becfeaa82be1cd5871c4de5d8912e3def656886b3077a745c46d8
Instruction Fuzzy Hash: 9151D5709006499FDB10DFA8D885AEEBBFAEF08300F14425AF956E7391E7309A41CB61

Function 006D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006D307A
Part of subcall function 006D304E: _wcslen.LIBCMT ref: 006D309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006D1112
WSAGetLastError.WSOCK32 ref: 006D1121
WSAGetLastError.WSOCK32 ref: 006D11C9
closesocket.WSOCK32(00000000), ref: 006D11F9

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 70fa0b45bef8ad715b9a4a1d812dda38ec959c681052b0c539608d2faf55a933
Instruction ID: 800166aca692fa9c44aa27e6b8066587a7ea5445de8b49068a19988257abfc1f
Opcode Fuzzy Hash: 70fa0b45bef8ad715b9a4a1d812dda38ec959c681052b0c539608d2faf55a933
Instruction Fuzzy Hash: 6341A231A00214AFDB109F54CC85BAABBABEF46364F14805AFD159F391D7B0AD46CBA1

Function 006BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006BCF22,?), ref: 006BDDFD

Part of subcall function 006BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006BCF22,?), ref: 006BDE16

lstrcmpiW.KERNEL32(?,?), ref: 006BCF45
MoveFileW.KERNEL32(?,?), ref: 006BCF7F
_wcslen.LIBCMT ref: 006BD005
_wcslen.LIBCMT ref: 006BD01B
SHFileOperationW.SHELL32(?), ref: 006BD061

Strings

\*.*, xrefs: 006BCFF3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 6e24e7b29558f8c3ea1ec43bcc2c05024b7aa27c718654345af3322bcc96465a
Instruction ID: 187796a909c7c8f4e806df4d2a061770edc9dd52b45eac536ca00fbc4c47eacd
Opcode Fuzzy Hash: 6e24e7b29558f8c3ea1ec43bcc2c05024b7aa27c718654345af3322bcc96465a
Instruction Fuzzy Hash: AF4158B19052189FDF52EFA4C981AEDB7BEAF44340F1000EAE505EB142EB34A7C5CB54

Function 006E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006E2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 006E2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 006E2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006E2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006E2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 006E2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006E2F0B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8d776af124fe6a3a02a38e86b8d3b526aa61499bb44b0147da4b2b33a12c447a
Instruction ID: 4d833843c9946297defe7db25a7d5c4eea20aaba11b8ecda50b974d821287aa6
Opcode Fuzzy Hash: 8d776af124fe6a3a02a38e86b8d3b526aa61499bb44b0147da4b2b33a12c447a
Instruction Fuzzy Hash: 653116306462A29FDB208F19DCD4FA537EBFB5A720F1541A4F9408F2B1CB71AC819B41

Function 006B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006B7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006B778F
SysAllocString.OLEAUT32(00000000), ref: 006B7792
SysAllocString.OLEAUT32(?), ref: 006B77B0
SysFreeString.OLEAUT32(?), ref: 006B77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 006B77DE
SysAllocString.OLEAUT32(?), ref: 006B77EC

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 60496399b8a49c918904a732f5295b9213a29a9653d31036262a6619ae7ce0d8
Instruction ID: 0c7c1c962b1021594a7346fea7bf090e100ba7fa3734315d2a55efd1e1c60704
Opcode Fuzzy Hash: 60496399b8a49c918904a732f5295b9213a29a9653d31036262a6619ae7ce0d8
Instruction Fuzzy Hash: E021A1B6604219AFDB10DFA8DC88CFB77EEEB493647108035F914DB290DA70DC828764

Function 006B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006B7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006B7868
SysAllocString.OLEAUT32(00000000), ref: 006B786B
SysAllocString.OLEAUT32 ref: 006B788C
SysFreeString.OLEAUT32 ref: 006B7895
StringFromGUID2.OLE32(?,?,00000028), ref: 006B78AF
SysAllocString.OLEAUT32(?), ref: 006B78BD

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8cc16f427e3a00a5b37200f5b1f89424a9f067cce5734be23b93396b0d1e57f5
Instruction ID: 7c418fc60dc09dcc3180c6bc7db6f30140310cd34fc4821eccc020972d3c22c4
Opcode Fuzzy Hash: 8cc16f427e3a00a5b37200f5b1f89424a9f067cce5734be23b93396b0d1e57f5
Instruction Fuzzy Hash: 51214175608214BFDB109FB8DC88DEA77EEEB497607108135F915CB2A1DA74DC82CB64

Function 006C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 006C04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006C052E

Strings

nul, xrefs: 006C0567

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: cbb117dff21b3367e504117cea18a8d3e04ac598e7c829e7b6326b9637db9af4
Instruction ID: e4e3185743f800393a234a48bb522d900bf6dac4582afeee67a65237cb315b99
Opcode Fuzzy Hash: cbb117dff21b3367e504117cea18a8d3e04ac598e7c829e7b6326b9637db9af4
Instruction Fuzzy Hash: 7D212CB5500305EFEF209F69D944FAA7BA6EF44724F604A1DE9A1D62E0D7709942CF20

Function 006C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006C05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006C0601

Strings

nul, xrefs: 006C0639

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: df08f26ae4c6163bacf2490c9159e39b939d1eb40e14cb4ff58ca9ebdc1ec681
Instruction ID: 9717bcfcb2204e52c4b27bc356df4e69e1f8528db8c14bd8d3796045edbd8df4
Opcode Fuzzy Hash: df08f26ae4c6163bacf2490c9159e39b939d1eb40e14cb4ff58ca9ebdc1ec681
Instruction Fuzzy Hash: 0F217F75500315DFEB209F6A8C44FAA77AAEF95B30F200A1DE9A1E72E0D7709961CB10

Function 006E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0065600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0065604C
Part of subcall function 0065600E: GetStockObject.GDI32(00000011), ref: 00656060
Part of subcall function 0065600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0065606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006E4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006E411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006E412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006E4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006E4145

Strings

Msctls_Progress32, xrefs: 006E40E3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e2faa7fa2db882f175603296336ab94e96fd4c75586fbbd01ae34145c1d35d24
Instruction ID: a80b44ee265851ce110dad74b78f8858ccd749c1fd1ec81c27e751ad7691b078
Opcode Fuzzy Hash: e2faa7fa2db882f175603296336ab94e96fd4c75586fbbd01ae34145c1d35d24
Instruction Fuzzy Hash: 6611B6B11402197EEF118F65CC85EE77F5DEF097A8F014110BA18A6190CA769C61DBA4

Function 0068D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0068D7A3: _free.LIBCMT ref: 0068D7CC

_free.LIBCMT ref: 0068D82D

Part of subcall function 006829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0068D7D1,00000000,00000000,00000000,00000000,?,0068D7F8,00000000,00000007,00000000,?,0068DBF5,00000000), ref: 006829DE
Part of subcall function 006829C8: GetLastError.KERNEL32(00000000,?,0068D7D1,00000000,00000000,00000000,00000000,?,0068D7F8,00000000,00000007,00000000,?,0068DBF5,00000000,00000000), ref: 006829F0

_free.LIBCMT ref: 0068D838
_free.LIBCMT ref: 0068D843
_free.LIBCMT ref: 0068D897
_free.LIBCMT ref: 0068D8A2
_free.LIBCMT ref: 0068D8AD
_free.LIBCMT ref: 0068D8B8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c61f7253699acb774a04e11736e0118f84b6c4b60a3d0bd989ea8072a2530fa9
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 82113A71540B04AADAA1BFB1CC47FCB7BDEAF00B00F400A2DF299A60D2DA69F5058764

Function 006BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006BDA74
LoadStringW.USER32(00000000), ref: 006BDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006BDA91
LoadStringW.USER32(00000000), ref: 006BDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006BDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 006BDAB9

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: b86389abb6545391aaa56f76fb62b9a6394fda1464e41c4a47f100654a3a2d19
Instruction ID: cc6d827fb47d43f3934b028814b03e421275359aaa40df2fe8199816ac74727a
Opcode Fuzzy Hash: b86389abb6545391aaa56f76fb62b9a6394fda1464e41c4a47f100654a3a2d19
Instruction Fuzzy Hash: 2D01A2F2500348BFEB009BA4DDC9EE7336DEB08711F000491B706E6041E6749E858F34

Function 006C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D7E1C8,00D7E1C8), ref: 006C097B
EnterCriticalSection.KERNEL32(00D7E1A8,00000000), ref: 006C098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 006C099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 006C09A9
CloseHandle.KERNEL32(00000000), ref: 006C09B8
InterlockedExchange.KERNEL32(00D7E1C8,000001F6), ref: 006C09C8
LeaveCriticalSection.KERNEL32(00D7E1A8), ref: 006C09CF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ea8dbee36d59a0e9964a06365e057a2ee1bed56c945abceba360f5a3a5cb9d8e
Instruction ID: 5b3a3d18d3576d327ddb0c2df4ff3b31ce8c52617e98cd693e454ecb3151e46d
Opcode Fuzzy Hash: ea8dbee36d59a0e9964a06365e057a2ee1bed56c945abceba360f5a3a5cb9d8e
Instruction Fuzzy Hash: A6F01932442B42EFE7415BA4EEC8BE6BA2AFF01712F403025F202988A0C7749566DF90

Function 006D1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006D1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006D1DE1
WSAGetLastError.WSOCK32 ref: 006D1DF2
htons.WSOCK32(?,?,?,?,?), ref: 006D1EDB
inet_ntoa.WSOCK32(?), ref: 006D1E8C

Part of subcall function 006B39E8: _strlen.LIBCMT ref: 006B39F2

Part of subcall function 006D3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,006CEC0C), ref: 006D3240

_strlen.LIBCMT ref: 006D1F35

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 363ef3148523b03f2bae7a7eb9836f84e2bf480a209d0e6fb92446f7860cbb7d
Instruction ID: b4264fdd948ee665d96966c49d76b12d24f5bfdbe7cb0715aab0869ab61aab81
Opcode Fuzzy Hash: 363ef3148523b03f2bae7a7eb9836f84e2bf480a209d0e6fb92446f7860cbb7d
Instruction Fuzzy Hash: B9B1DD30A04340AFD324DF24C895E6A7BE6AF85318F54894DF8564F3A2DBB1ED46CB91

Function 006801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006800D6
__allrem.LIBCMT ref: 006800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0068010B
__allrem.LIBCMT ref: 00680122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00680140

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 2edfdbb676fde14f8d816cfe05edeccf2079e22090ae4bcc4ba70f3c592e3fa6
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 66810572A007069BE760AF68CC41BAB73EBAF41334F24863EF555DA781EB74D9048754

Function 006861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006782D9,006782D9,?,?,?,0068644F,00000001,00000001,8BE85006), ref: 00686258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0068644F,00000001,00000001,8BE85006,?,?,?), ref: 006862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006863D8
__freea.LIBCMT ref: 006863E5

Part of subcall function 00683820: RtlAllocateHeap.NTDLL(00000000,?,00721444,?,0066FDF5,?,?,0065A976,00000010,00721440,006513FC,?,006513C6,?,00651129), ref: 00683852

__freea.LIBCMT ref: 006863EE
__freea.LIBCMT ref: 00686413

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9c9e724a8d92ef1cf0df36d1ab7eb41dd39397ad93e6920a376da5af6b7f9639
Instruction ID: b32204b5dc9a8772061b7f13cee0619ff99c33538dd656e77d81db5bf122d9d9
Opcode Fuzzy Hash: 9c9e724a8d92ef1cf0df36d1ab7eb41dd39397ad93e6920a376da5af6b7f9639
Instruction Fuzzy Hash: AB51D072A00216ABEB25AF64CC81EEF77ABEB44710F144769FD05DA240EB34DD41C7A0

Function 006DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

Part of subcall function 006DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006DB6AE,?,?), ref: 006DC9B5
Part of subcall function 006DC998: _wcslen.LIBCMT ref: 006DC9F1
Part of subcall function 006DC998: _wcslen.LIBCMT ref: 006DCA68
Part of subcall function 006DC998: _wcslen.LIBCMT ref: 006DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006DBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006DBD25
RegCloseKey.ADVAPI32(00000000), ref: 006DBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006DBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006DBDF3
RegCloseKey.ADVAPI32(?), ref: 006DBDFF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 3ecd91f0d302ab62d3bc9bf56e059d77f7eb3c0b326ac67ea8b9e3270b144ab7
Instruction ID: 6def72fc166dab73957f0a99e2bf84a1ff24d1e9448c47c9bc5b69cca2b71e44
Opcode Fuzzy Hash: 3ecd91f0d302ab62d3bc9bf56e059d77f7eb3c0b326ac67ea8b9e3270b144ab7
Instruction Fuzzy Hash: E6816930608241EFC714DF24C881E6ABBE6BF84308F15995DF4558B3A2DB32ED09CB92

Function 006AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 006AF7B9
SysAllocString.OLEAUT32(00000001), ref: 006AF860
VariantCopy.OLEAUT32(006AFA64,00000000), ref: 006AF889
VariantClear.OLEAUT32(006AFA64), ref: 006AF8AD
VariantCopy.OLEAUT32(006AFA64,00000000), ref: 006AF8B1
VariantClear.OLEAUT32(?), ref: 006AF8BB

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 18c09c81268c954faea830c50ffcae7dd3f2fbf4b925a56b1d423ad5cdb991d6
Instruction ID: 2dc9b44bfd0c027cd08dbaa798deaaa3e12935e17c74d14e3b3b0976a7c43017
Opcode Fuzzy Hash: 18c09c81268c954faea830c50ffcae7dd3f2fbf4b925a56b1d423ad5cdb991d6
Instruction Fuzzy Hash: 1A51C531900310EACF50BBA5D895B6AB3E7EF46310F24546AE805DF291DB709C41CF9B

Function 006C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00657620: _wcslen.LIBCMT ref: 00657625

Part of subcall function 00656B57: _wcslen.LIBCMT ref: 00656B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 006C94E5
_wcslen.LIBCMT ref: 006C9506
_wcslen.LIBCMT ref: 006C952D
GetSaveFileNameW.COMDLG32(00000058), ref: 006C9585

Strings

X, xrefs: 006C9412

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 2c09a2c86947157ac1ce9c159b2ad7cc3457783b0a33c7bb17818310ede52c68
Instruction ID: 7f4bda11727c172d26856116355da26e1b3e1f9b8ef4b3b0a9dfb2b1d8d8199f
Opcode Fuzzy Hash: 2c09a2c86947157ac1ce9c159b2ad7cc3457783b0a33c7bb17818310ede52c68
Instruction Fuzzy Hash: F4E16B315043509FC764EF24C885B6AB7E6FF85314F04896DE8899B3A2DB31DD05CBA6

Function 0066920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00669BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00669BB2

BeginPaint.USER32(?,?,?), ref: 00669241
GetWindowRect.USER32(?,?), ref: 006692A5
ScreenToClient.USER32(?,?), ref: 006692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006692D3
EndPaint.USER32(?,?,?,?,?), ref: 00669321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006A71EA

Part of subcall function 00669339: BeginPath.GDI32(00000000), ref: 00669357

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 8cbb120e087f4e646a8da2c093dcf5a36cd590e8eabf2bdbac3e5ec7d93dd104
Instruction ID: 4a1368a7bf49b869aecdf29662daac3065ea43925c2bc582ffedea018bac10a6
Opcode Fuzzy Hash: 8cbb120e087f4e646a8da2c093dcf5a36cd590e8eabf2bdbac3e5ec7d93dd104
Instruction Fuzzy Hash: 6F41AC70104340AFD721DF24CC94FAA7BEAFB96320F040229F9949B2A1C734AC46DB65

Function 006C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006C080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 006C0847
EnterCriticalSection.KERNEL32(?), ref: 006C0863
LeaveCriticalSection.KERNEL32(?), ref: 006C08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006C08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 006C0921

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 12fe92f77c96179990080b6db20e1d90901240f53754caeba4c0f1b555e8d759
Instruction ID: ca6db8dbbe88ce4fbc26ea997eba1c088e6671a81c7c62b85ae5bfa1e50efc6b
Opcode Fuzzy Hash: 12fe92f77c96179990080b6db20e1d90901240f53754caeba4c0f1b555e8d759
Instruction Fuzzy Hash: 3A415971900205EFEF14AF54DC85AAA7B7AFF04310F1480A9ED049E296DB31DE61DBA4

Function 006E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,006AF3AB,00000000,?,?,00000000,?,006A682C,00000004,00000000,00000000), ref: 006E824C
EnableWindow.USER32(00000000,00000000), ref: 006E8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 006E82D1
ShowWindow.USER32(00000000,00000004), ref: 006E82E5
EnableWindow.USER32(00000000,00000001), ref: 006E830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 006E832F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7ab3449334e8951350dede73e4c0df8df3df3dd506f0589c834fb8ca7cbc17c7
Instruction ID: 52e0472447bf49a69f147987b656b3c88df01a54e526d2820cd7a14d9182a766
Opcode Fuzzy Hash: 7ab3449334e8951350dede73e4c0df8df3df3dd506f0589c834fb8ca7cbc17c7
Instruction Fuzzy Hash: C841D7306027C0AFDF25CF56C895BE47BE2BB06714F1851A8E64C4F3A2C7326946CB84

Function 006B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 006B4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006B4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006B4CEA
_wcslen.LIBCMT ref: 006B4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006B4D10
_wcsstr.LIBVCRUNTIME ref: 006B4D1A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 218659d0f79eef01eb43a4a7ab02d2c34c5badc51484d5977ed29050fe18a80f
Instruction ID: 24ba80b9dd4e30e475411909f1dad06cb8426364035fe63623d88464fd6a871c
Opcode Fuzzy Hash: 218659d0f79eef01eb43a4a7ab02d2c34c5badc51484d5977ed29050fe18a80f
Instruction Fuzzy Hash: 7121A7726042507BEB155B29EC49EBB7FAADF45760F10802DF805CA292EF61DC4197A0

Function 006C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00653AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00653A97,?,?,00652E7F,?,?,?,00000000), ref: 00653AC2

_wcslen.LIBCMT ref: 006C587B
CoInitialize.OLE32(00000000), ref: 006C5995
CoCreateInstance.OLE32(006EFCF8,00000000,00000001,006EFB68,?), ref: 006C59AE
CoUninitialize.OLE32 ref: 006C59CC

Strings

.lnk, xrefs: 006C5876, 006C58C1, 006C5985

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b7b3b0367ff1a7da2b794130638f3db92f90df4255126c2349ef0dd368bc16ec
Instruction ID: 9485d778c05e363e9979d706ab713437b830adb983cdc4361c29b2caaa0718e3
Opcode Fuzzy Hash: b7b3b0367ff1a7da2b794130638f3db92f90df4255126c2349ef0dd368bc16ec
Instruction Fuzzy Hash: 5ED154756047019FC714DF24C890E6ABBE2EF89710F14895DF88A9B361DB31ED89CB92

Function 006B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006B0FCA
Part of subcall function 006B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006B0FD6
Part of subcall function 006B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006B0FE5
Part of subcall function 006B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006B0FEC
Part of subcall function 006B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006B1002

GetLengthSid.ADVAPI32(?,00000000,006B1335), ref: 006B17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006B17BA
HeapAlloc.KERNEL32(00000000), ref: 006B17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 006B17DA
GetProcessHeap.KERNEL32(00000000,00000000,006B1335), ref: 006B17EE
HeapFree.KERNEL32(00000000), ref: 006B17F5

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 0b00272ced2e467e134e1a73c025694546506d800654a49d0d306d74af491bb8
Instruction ID: 8b5e38946ee3521ce7a490346eb69c9d7f5c5e9d47e585b22a6848022007f8c0
Opcode Fuzzy Hash: 0b00272ced2e467e134e1a73c025694546506d800654a49d0d306d74af491bb8
Instruction Fuzzy Hash: 3911AFB2510205FFDB109FA4CC99BEE7BAAEB42365F504028F8419B250CB369A81DB60

Function 006B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006B14FF
OpenProcessToken.ADVAPI32(00000000), ref: 006B1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006B1515
CloseHandle.KERNEL32(00000004), ref: 006B1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006B154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 006B1563

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4995124c6e5e68008240368b4823ce2ca79dcecc721e017003fcc7d0e8fffaa2
Instruction ID: 1f30a37d7ef7e8b6c6ea2ad4a961299c1c2d321d58be21d9dc64c75e37fae89f
Opcode Fuzzy Hash: 4995124c6e5e68008240368b4823ce2ca79dcecc721e017003fcc7d0e8fffaa2
Instruction Fuzzy Hash: 281117B2500249BBDF11CF98DD49BDE7BAAEB49754F044025FA05AA160C3768EA19B60

Function 00673382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00673379,00672FE5), ref: 00673390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0067339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006733B7
SetLastError.KERNEL32(00000000,?,00673379,00672FE5), ref: 00673409

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 80f02c5e7972d810e386adabb38cb5209ab7ff3b2bfdb45914f17731a83f0c19
Instruction ID: 550cc82524e9a17948f5d8702997c27af61337cbdd62c12c20519af4a5f7a83a
Opcode Fuzzy Hash: 80f02c5e7972d810e386adabb38cb5209ab7ff3b2bfdb45914f17731a83f0c19
Instruction Fuzzy Hash: 1B01B132649331AEAA6627B86C859A62A97EB19379720C32DF528853F0EF114D027658

Function 00682D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00685686,00693CD6,?,00000000,?,00685B6A,?,?,?,?,?,0067E6D1,?,00718A48), ref: 00682D78
_free.LIBCMT ref: 00682DAB
_free.LIBCMT ref: 00682DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0067E6D1,?,00718A48,00000010,00654F4A,?,?,00000000,00693CD6), ref: 00682DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0067E6D1,?,00718A48,00000010,00654F4A,?,?,00000000,00693CD6), ref: 00682DEC
_abort.LIBCMT ref: 00682DF2

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b4759e3029b13029c8278f47b574bf4d98ab72d9b8cbc193b214ef787143d8bf
Instruction ID: 9c8cb6cfa975cc14bc704dcfaa704449709639dbe912e07ae6cdd468c101c86b
Opcode Fuzzy Hash: b4759e3029b13029c8278f47b574bf4d98ab72d9b8cbc193b214ef787143d8bf
Instruction Fuzzy Hash: 3EF0287664560377C7523338BC3AE9B295BAFC1BB0F21431CF824923D2EF2888025364

Function 006E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00669639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00669693
Part of subcall function 00669639: SelectObject.GDI32(?,00000000), ref: 006696A2
Part of subcall function 00669639: BeginPath.GDI32(?), ref: 006696B9
Part of subcall function 00669639: SelectObject.GDI32(?,00000000), ref: 006696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 006E8A4E
LineTo.GDI32(?,00000003,00000000), ref: 006E8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 006E8A70
LineTo.GDI32(?,00000000,00000003), ref: 006E8A80
EndPath.GDI32(?), ref: 006E8A90
StrokePath.GDI32(?), ref: 006E8AA0

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 1bb1fbeae8bd3a4aaa0f0dc7af12a7d313b815a59a058b55006f1813af21fa13
Instruction ID: 503aa8c4820ca5f5c777334a71f57c08b0e59a47ccd6d745eb760b21da344541
Opcode Fuzzy Hash: 1bb1fbeae8bd3a4aaa0f0dc7af12a7d313b815a59a058b55006f1813af21fa13
Instruction Fuzzy Hash: 10110C7600028CFFDF129F94DC88EDA7F6DEB04364F008025FA199A161C772AD56DB60

Function 006B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006B5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 006B5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006B5230
ReleaseDC.USER32(00000000,00000000), ref: 006B5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 006B524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 006B5261

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9eba4dce7ebef2ce0f1daf29ad26bfae66b0fe7dba3ce2ca80f16a5da696251d
Instruction ID: 9041dcea4e425d532fbedd17a6c7f111c899bec1e95ce7782c9c7e18d7f35f11
Opcode Fuzzy Hash: 9eba4dce7ebef2ce0f1daf29ad26bfae66b0fe7dba3ce2ca80f16a5da696251d
Instruction Fuzzy Hash: A0018475A01704BBEB109BE59C49F8EBF79EB44761F044065FA05AB280D6709D01CF60

Function 00651BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00651BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00651BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00651C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00651C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00651C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00651C22

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 559f6d6a1dcba2d09df388faa8de68366a1aeffa6d64da1bf7e9b619ed9f06bf
Instruction ID: fca4dd7a7d7bbee980f9ac01a0bd7816e8ce7e9175e2e0740a9b58b9bfc155e5
Opcode Fuzzy Hash: 559f6d6a1dcba2d09df388faa8de68366a1aeffa6d64da1bf7e9b619ed9f06bf
Instruction Fuzzy Hash: 860144B0902B5ABDE3008F6A8C85A52FFA8FF19354F00411BA15C4BA42C7B5A864CBE5

Function 006BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006BEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006BEB46
GetWindowThreadProcessId.USER32(?,?), ref: 006BEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006BEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006BEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006BEB75

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 49f2f47023b18899716082c0f99dc2d15f90456cb0c853ddf1b771b3192c0d77
Instruction ID: 9d87f6969409cbdc8d22e339ca19aedd080018247697d6a30c355086d47187be
Opcode Fuzzy Hash: 49f2f47023b18899716082c0f99dc2d15f90456cb0c853ddf1b771b3192c0d77
Instruction Fuzzy Hash: BDF05E72240698BFE7215B629C4EEEF3F7DEFCAB21F001158FA01D9191D7A05A02C6B5

Function 006A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 006A7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 006A7469
GetWindowDC.USER32(?), ref: 006A7475
GetPixel.GDI32(00000000,?,?), ref: 006A7484
ReleaseDC.USER32(?,00000000), ref: 006A7496
GetSysColor.USER32(00000005), ref: 006A74B0

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 7a30acd7b2532b250dec3f44129285461fccc56c5ef44b3ed12bd61401495541
Instruction ID: e648fec296ab67dd251a38e27cc1fc9ca7e11576022a2c06e634523236e8de0d
Opcode Fuzzy Hash: 7a30acd7b2532b250dec3f44129285461fccc56c5ef44b3ed12bd61401495541
Instruction Fuzzy Hash: FF018B31400255EFDB106F64DC48BEE7BB7FB08321F505064F926A61A1CB312E53AF10

Function 006B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 006B187F
UnloadUserProfile.USERENV(?,?), ref: 006B188B
CloseHandle.KERNEL32(?), ref: 006B1894
CloseHandle.KERNEL32(?), ref: 006B189C
GetProcessHeap.KERNEL32(00000000,?), ref: 006B18A5
HeapFree.KERNEL32(00000000), ref: 006B18AC

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1ca578b6c25a815b1d4ed139085ff398562016deea2e9970eb726965e5b19af9
Instruction ID: e0a00e4bc43f7f1b0c93e795e1cba52c0fa9600bae87f8cdb2bdeef1681bd39f
Opcode Fuzzy Hash: 1ca578b6c25a815b1d4ed139085ff398562016deea2e9970eb726965e5b19af9
Instruction Fuzzy Hash: 67E0E536014B41BBDB015FA1ED4C94ABF3AFF4AB32B109220F625890B0CB329422EF50

Function 0065BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0065BEB3

Strings

D%rD%r, xrefs: 0065BCA5
D%r, xrefs: 0065BCA2
D%r, xrefs: 0065BDED, 0065BD91, 0065BD1B
D%r, xrefs: 0065BE9A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%r$D%r$D%r$D%rD%r
API String ID: 1385522511-2839123534
Opcode ID: e19a3c6796092ae0d3d4578fe5461d9231c3f6e4400c52195ebfd6dc3671f143
Instruction ID: 7f3460fdca1e43d246c9e2c4682f2b3674c840b868c991fef5c69116b2fcecc7
Opcode Fuzzy Hash: e19a3c6796092ae0d3d4578fe5461d9231c3f6e4400c52195ebfd6dc3671f143
Instruction Fuzzy Hash: 82916875A0020ADFCB18CF59C0916AAB7F2FF58311F24916EE941AB351E731E986CB94

Function 006D7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00670242: EnterCriticalSection.KERNEL32(0072070C,00721884,?,?,0066198B,00722518,?,?,?,006512F9,00000000), ref: 0067024D
Part of subcall function 00670242: LeaveCriticalSection.KERNEL32(0072070C,?,0066198B,00722518,?,?,?,006512F9,00000000), ref: 0067028A

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

Part of subcall function 006700A3: __onexit.LIBCMT ref: 006700A9

__Init_thread_footer.LIBCMT ref: 006D7BFB

Part of subcall function 006701F8: EnterCriticalSection.KERNEL32(0072070C,?,?,00668747,00722514), ref: 00670202
Part of subcall function 006701F8: LeaveCriticalSection.KERNEL32(0072070C,?,00668747,00722514), ref: 00670235

Strings

+Tj, xrefs: 006D7E2E
5, xrefs: 006D7C78
Variable must be of type 'Object'., xrefs: 006D7C3A
G, xrefs: 006D7C7F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tj$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1733505454
Opcode ID: 14800fe60d23eaea26a9411b46855a87a4e7d9181918761153f56a9404ab583f
Instruction ID: 1609d4317e32fa9fbb81e219d220cc808c15093f4588e926c7840f582422c9ba
Opcode Fuzzy Hash: 14800fe60d23eaea26a9411b46855a87a4e7d9181918761153f56a9404ab583f
Instruction Fuzzy Hash: C5915B74A04209EFCB14EF94D8919ADB7B3EF45300F10805EF846AB392EB71AE45CB56

Function 006BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00657620: _wcslen.LIBCMT ref: 00657625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006BC6EE
_wcslen.LIBCMT ref: 006BC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006BC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006BC7CA

Strings

0, xrefs: 006BC6AF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c3af724e94f9b5cb6f9141299a8dfd9c0f847dd4f7798725f5ec9e3ddb8d0e07
Instruction ID: 277931e8f99e02b3da72035819d8733bfb3bcf9787424a9ef3776fcb6f0e3af4
Opcode Fuzzy Hash: c3af724e94f9b5cb6f9141299a8dfd9c0f847dd4f7798725f5ec9e3ddb8d0e07
Instruction Fuzzy Hash: AA51D0F16043409BD754DF28C885BEB77EAAF49320F040A3DF995D3290EB64DA84CB56

Function 006DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 006DAEA3

Part of subcall function 00657620: _wcslen.LIBCMT ref: 00657625

GetProcessId.KERNEL32(00000000), ref: 006DAF38
CloseHandle.KERNEL32(00000000), ref: 006DAF67

Strings

@, xrefs: 006DAE72
<, xrefs: 006DAE6B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 894e27f03625ea47be73a47601ce338e8fbec1b5950b5b1ac5470f457f61c4b6
Instruction ID: 9044f712f0e868f21f0840df1ecbe58480cfc55c978469578142c149d318bcd1
Opcode Fuzzy Hash: 894e27f03625ea47be73a47601ce338e8fbec1b5950b5b1ac5470f457f61c4b6
Instruction Fuzzy Hash: 1F716671A04219DFCB14DF94D484A9EBBF2BF08310F04849EE856AB3A2DB74ED45CB95

Function 006B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006B7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006B723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006B724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006B72CF

Strings

DllGetClassObject, xrefs: 006B7242

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 1cca060fd5b3a98ab994a85559c279dc1b7733071d8bb85340793fc63a4c04b0
Instruction ID: be4d612a05a9f0d8638f23c3128e0ac106aa79ab496acfbd5c7b0d68e7980893
Opcode Fuzzy Hash: 1cca060fd5b3a98ab994a85559c279dc1b7733071d8bb85340793fc63a4c04b0
Instruction Fuzzy Hash: DA4141B1A04204EFDB15CF54C884ADA7BAAEF84311F1580ADFD059F24AD7B1DA85CBA0

Function 006E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006E2F8D
LoadLibraryW.KERNEL32(?), ref: 006E2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006E2FA9
DestroyWindow.USER32(?), ref: 006E2FB1

Strings

SysAnimate32, xrefs: 006E2F68

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 3ad1d0cedd8bb36bf703a9567777e888f1c03e58c5620517fb661b39e9303e9b
Instruction ID: 93650a507bcce96dad22f6a2fb0c43f98607a098f0b69c9af229b1cd4ce1de70
Opcode Fuzzy Hash: 3ad1d0cedd8bb36bf703a9567777e888f1c03e58c5620517fb661b39e9303e9b
Instruction Fuzzy Hash: AA21DE72241386ABEB104F65DCA0EBB37BFFB58324F100218F910D6290D771DC529760

Function 00674D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00674D1E,006828E9,?,00674CBE,006828E9,007188B8,0000000C,00674E15,006828E9,00000002), ref: 00674D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00674DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00674D1E,006828E9,?,00674CBE,006828E9,007188B8,0000000C,00674E15,006828E9,00000002,00000000), ref: 00674DC3

Strings

CorExitProcess, xrefs: 00674D98
mscoree.dll, xrefs: 00674D86

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 32af16c18c30271af49aa157bbdfd625a9e1bb9acc083aa080bf4418f2f7a5af
Instruction ID: 5158815645e94c5f01f25b29c3d725084d88a34e85f9b905a78e33d34b787e4f
Opcode Fuzzy Hash: 32af16c18c30271af49aa157bbdfd625a9e1bb9acc083aa080bf4418f2f7a5af
Instruction Fuzzy Hash: 21F04434540348FBDB115F94DC49BEDBFB7EF44751F014198F909A6251DF305941CA94

Function 00654E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00654EDD,?,00721418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00654E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00654EAE
FreeLibrary.KERNEL32(00000000,?,?,00654EDD,?,00721418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00654EC0

Strings

kernel32.dll, xrefs: 00654E94
Wow64DisableWow64FsRedirection, xrefs: 00654EA8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f795bdee2c4327c94e3c4c4e247302d53b681fd24f892376cd9415c684225371
Instruction ID: a18d03b831a1802b56c1d840c189c8198b996871f45a5ecd0071dba6e55881ef
Opcode Fuzzy Hash: f795bdee2c4327c94e3c4c4e247302d53b681fd24f892376cd9415c684225371
Instruction Fuzzy Hash: CEE08635A027225BD3211725AC19ADB6557AF82F77B050155FC00D7240DF64CD4640A0

Function 00654E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00693CDE,?,00721418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00654E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00654E74
FreeLibrary.KERNEL32(00000000,?,?,00693CDE,?,00721418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00654E87

Strings

kernel32.dll, xrefs: 00654E5B
Wow64RevertWow64FsRedirection, xrefs: 00654E6E

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5cc6b7a0af3498aadedbb5a3697e2bf79997321be4e18b999c3f083ef976733c
Instruction ID: 3dd9e726289044dc362546ab1eaaca6fa4948e671973aa52976edb84b0f08e74
Opcode Fuzzy Hash: 5cc6b7a0af3498aadedbb5a3697e2bf79997321be4e18b999c3f083ef976733c
Instruction Fuzzy Hash: DBD0C23190276157C7221B256C09DCB2A1BAF81F363050154BC00A6210CF20CD4681D0

Function 006DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 006DA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006DA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 006DA468
CloseHandle.KERNEL32(?), ref: 006DA63D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: cd29e3caa05fed261b282176c8863c812c1f1dc7e909a12b00294ae14defa17a
Instruction ID: a49af294acb2d52f47282e01cb05abc4db56f93efbb523a2c87afea7dc4aba1b
Opcode Fuzzy Hash: cd29e3caa05fed261b282176c8863c812c1f1dc7e909a12b00294ae14defa17a
Instruction Fuzzy Hash: 00A1B1716043009FD760DF24D882F2AB7E6AF84714F14885DF99A9B392DBB0EC45CB96

Function 0068BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,006F3700), ref: 0068BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0072121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0068BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00721270,000000FF,?,0000003F,00000000,?), ref: 0068BC36
_free.LIBCMT ref: 0068BB7F

Part of subcall function 006829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0068D7D1,00000000,00000000,00000000,00000000,?,0068D7F8,00000000,00000007,00000000,?,0068DBF5,00000000), ref: 006829DE
Part of subcall function 006829C8: GetLastError.KERNEL32(00000000,?,0068D7D1,00000000,00000000,00000000,00000000,?,0068D7F8,00000000,00000007,00000000,?,0068DBF5,00000000,00000000), ref: 006829F0

_free.LIBCMT ref: 0068BD4B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 73666e0cbb8198906169a0b042cbde7152a83a83f8256e680f0f3d6f1dc0dda3
Instruction ID: bc8b704960dc6ea8cf2cf6fab76cb9334e17be90cb8c27f4c2d64560755176b3
Opcode Fuzzy Hash: 73666e0cbb8198906169a0b042cbde7152a83a83f8256e680f0f3d6f1dc0dda3
Instruction Fuzzy Hash: 6B51E671900209EFCB20FF699C819AEB7BAFF54310B50536EF424D7291EB709E418B58

Function 006BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006BCF22,?), ref: 006BDDFD

Part of subcall function 006BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006BCF22,?), ref: 006BDE16

Part of subcall function 006BE199: GetFileAttributesW.KERNEL32(?,006BCF95), ref: 006BE19A

lstrcmpiW.KERNEL32(?,?), ref: 006BE473
MoveFileW.KERNEL32(?,?), ref: 006BE4AC
_wcslen.LIBCMT ref: 006BE5EB
_wcslen.LIBCMT ref: 006BE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 006BE650

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 983f00cf10ced8ab9ed09929a1c555fc96cba788e30211050f27d200b8cc0980
Instruction ID: 3d3c8fa2bca6165b01880d23878f436feae84393b253c0acfedbb2ffac7e6245
Opcode Fuzzy Hash: 983f00cf10ced8ab9ed09929a1c555fc96cba788e30211050f27d200b8cc0980
Instruction Fuzzy Hash: D05174F24083459BC764DBA4D8819DF73EEAF85340F00491EF689D3151EF75A68C876A

Function 006DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

Part of subcall function 006DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006DB6AE,?,?), ref: 006DC9B5
Part of subcall function 006DC998: _wcslen.LIBCMT ref: 006DC9F1
Part of subcall function 006DC998: _wcslen.LIBCMT ref: 006DCA68
Part of subcall function 006DC998: _wcslen.LIBCMT ref: 006DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006DBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006DBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006DBB63
RegCloseKey.ADVAPI32(?,?), ref: 006DBBA6
RegCloseKey.ADVAPI32(00000000), ref: 006DBBB3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: e07f6cefe26dccb8f53083d318bb129152660b32614b51946f3608ae116e2e6e
Instruction ID: ac14caf8f11da9468ce8a1b11ab4820792b268ddf8d8b00493a722173334a5ad
Opcode Fuzzy Hash: e07f6cefe26dccb8f53083d318bb129152660b32614b51946f3608ae116e2e6e
Instruction Fuzzy Hash: F6617B31608241EFC714DF14C490E6ABBE6EF84308F15995EF4998B392DB31ED4ACB92

Function 006B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006B8BCD
VariantClear.OLEAUT32 ref: 006B8C3E
VariantClear.OLEAUT32 ref: 006B8C9D
VariantClear.OLEAUT32(?), ref: 006B8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006B8D3B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 8c483ad8c1ff65d5279829828da6857aa8b84fd992091062cd9f0d3aacfc55dd
Instruction ID: 718f6bc62086eb3a03a561ecbafb7a6c9203066b634622eb93093bb338c0a970
Opcode Fuzzy Hash: 8c483ad8c1ff65d5279829828da6857aa8b84fd992091062cd9f0d3aacfc55dd
Instruction Fuzzy Hash: D1516AB5A00619EFCB10CF68C894AEAB7F9FF89310B15855AE909DB350E730E911CF90

Function 006C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006C8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 006C8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006C8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006C8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006C8C5F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: b8be3596badcb69f23b9150c624b7ad332d8c56151dc7ec13608bb362d156b1b
Instruction ID: 321cd5cdd886f27eb704b079b07dd093bc04a001fa449f7b2a4565eebad425dc
Opcode Fuzzy Hash: b8be3596badcb69f23b9150c624b7ad332d8c56151dc7ec13608bb362d156b1b
Instruction Fuzzy Hash: 74514835A00215AFCB15DF64C881EAABBF6FF49314F08845CE849AB362DB31ED55CB94

Function 006D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 006D8F40
GetProcAddress.KERNEL32(00000000,?), ref: 006D8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 006D8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 006D9032
FreeLibrary.KERNEL32(00000000), ref: 006D9052

Part of subcall function 0066F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,006C1043,?,75C0E610), ref: 0066F6E6
Part of subcall function 0066F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,006AFA64,00000000,00000000,?,?,006C1043,?,75C0E610,?,006AFA64), ref: 0066F70D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 54de3f408af78873259f070bc729b7df6742e9cda02bf9e963f9b2ffaf5e13cd
Instruction ID: 2187b0165ce771b8cc853bb7d37e2229cee253e0e6e7a8525e3bdc658087127c
Opcode Fuzzy Hash: 54de3f408af78873259f070bc729b7df6742e9cda02bf9e963f9b2ffaf5e13cd
Instruction Fuzzy Hash: 0B512B35A04205DFCB55DF68C4948ADBBF2FF49324F048099E8169B362DB31ED8ACB90

Function 006E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 006E6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 006E6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 006E6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,006CAB79,00000000,00000000), ref: 006E6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 006E6CC7

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 004b6de413a372640366df5b8dc2b34471228df12091cb4218e78b865a303c99
Instruction ID: 65f6a10a5d3d5bae275ba22b6cd56b8e7be068455cd15a520fb746aeed66a15c
Opcode Fuzzy Hash: 004b6de413a372640366df5b8dc2b34471228df12091cb4218e78b865a303c99
Instruction Fuzzy Hash: B541E735601384AFD724CF2ACC94FE57BA6EB197A0F250268FC95A73E0D371AD52C640

Function 00682051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006820C3
_free.LIBCMT ref: 006820E3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a039a5181d932edd70c31237ce5a875456230aba791a56e46af15bc7d316e957
Instruction ID: 3098bbfb2163abd11a1899f05b8a8e2dbfdc997b62f5af71c82aed087559713a
Opcode Fuzzy Hash: a039a5181d932edd70c31237ce5a875456230aba791a56e46af15bc7d316e957
Instruction Fuzzy Hash: 9E41E672A00201AFCB20EF78C894A9DB7E6EF88714F158668E615EB391D731ED01CB80

Function 0066912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00669141
ScreenToClient.USER32(00000000,?), ref: 0066915E
GetAsyncKeyState.USER32(00000001), ref: 00669183
GetAsyncKeyState.USER32(00000002), ref: 0066919D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b6796524053806f2c149217906fc68895306027c998cc8014c2f569af268af84
Instruction ID: beb10b30848a1bfd25b2a30e62807049ae81bdeaac3ea2ebe117436429b9f0a9
Opcode Fuzzy Hash: b6796524053806f2c149217906fc68895306027c998cc8014c2f569af268af84
Instruction Fuzzy Hash: CB41527150860AEBDF159F64C844BEEF7BAFB06324F244219E825A6290C7345D55CFA1

Function 006C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006C38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 006C3922
TranslateMessage.USER32(?), ref: 006C394B
DispatchMessageW.USER32(?), ref: 006C3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006C3966

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 60a75360cb9426bd18e8c2cf5e3559e8c87d73396765972798011eeb99bfcbf7
Instruction ID: 304a1707fd1b53791dbc9d3714e9940a90b5d37f4ab4160d6eac640aa018cd6c
Opcode Fuzzy Hash: 60a75360cb9426bd18e8c2cf5e3559e8c87d73396765972798011eeb99bfcbf7
Instruction Fuzzy Hash: 0E31B7709043A29EEB35CB349848FF637AAFB15304F44C56DE452C63A1F3B99686CB15

Function 006CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 006CCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 006CCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,006CC21E,00000000), ref: 006CCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,006CC21E,00000000), ref: 006CCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,006CC21E,00000000), ref: 006CCFF2

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: e27b6ddd714dc1ce9e7ae0b6cd16e1acc575801cde0ba989621d56644dc37cf4
Instruction ID: 0fd1a870bf6c788b36366a7f5b4a2adc635e6f8b0816dd7b1119b35ead14ee3a
Opcode Fuzzy Hash: e27b6ddd714dc1ce9e7ae0b6cd16e1acc575801cde0ba989621d56644dc37cf4
Instruction Fuzzy Hash: FE312B71904705AFDB20DFA5D884EBABBFBEF14361B10442EF52AD6251DB30AE41DB60

Function 006B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006B1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 006B19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 006B19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 006B19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 006B19E2

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: bf822c77b952c29fdb3891855287dfe409e3ddbaed76cf5093ed06ad1400b38d
Instruction ID: 7620409298fef2bc5d71d83b2f87fdea822ea1146348220c70132da47d447836
Opcode Fuzzy Hash: bf822c77b952c29fdb3891855287dfe409e3ddbaed76cf5093ed06ad1400b38d
Instruction Fuzzy Hash: 7631E4B1900259FFCB00DFA8CDA8ADE3BB6EB05314F004225F921AB2D1C3709945CB90

Function 006E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 006E5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 006E579D
_wcslen.LIBCMT ref: 006E57AF
_wcslen.LIBCMT ref: 006E57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 006E5816

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 1b750332caf81c074e33e093b53e2d9064ca5353a472bd39b62f82f9c9d732d5
Instruction ID: 432c6330ca1b051923797d72c010f9ccf157722518264dab1e6cb2bf6579b05b
Opcode Fuzzy Hash: 1b750332caf81c074e33e093b53e2d9064ca5353a472bd39b62f82f9c9d732d5
Instruction Fuzzy Hash: D3218771905798DADF209F61CC85AEE77BAFF14728F108116E92ADB2C1D7708986CF50

Function 006D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 006D0951
GetForegroundWindow.USER32 ref: 006D0968
GetDC.USER32(00000000), ref: 006D09A4
GetPixel.GDI32(00000000,?,00000003), ref: 006D09B0
ReleaseDC.USER32(00000000,00000003), ref: 006D09E8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6e01b3daabdca55263f0c1b9137f652e0bc6f7c22b470782b7979f3fc550aead
Instruction ID: 725a7cfb0a58b7dff29e047f2de2ecf7a4116c71baa41bf88e0547f39598fbd0
Opcode Fuzzy Hash: 6e01b3daabdca55263f0c1b9137f652e0bc6f7c22b470782b7979f3fc550aead
Instruction Fuzzy Hash: 5E218435A00204AFD744EF65C894AAEB7F6EF49711F04846DE856DB352DB30AC05CB90

Function 0068CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0068CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0068CDE9

Part of subcall function 00683820: RtlAllocateHeap.NTDLL(00000000,?,00721444,?,0066FDF5,?,?,0065A976,00000010,00721440,006513FC,?,006513C6,?,00651129), ref: 00683852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0068CE0F
_free.LIBCMT ref: 0068CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0068CE31

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 867dbe97ebb25f4af242fe87aca2da412c8ccdfc5fa65bda993aea702154bc77
Instruction ID: 0aa419bd996ebae6577d7310cbd762dc21606226c8e3a7b50a425a0b754871dc
Opcode Fuzzy Hash: 867dbe97ebb25f4af242fe87aca2da412c8ccdfc5fa65bda993aea702154bc77
Instruction Fuzzy Hash: 660184726012567FA72136BA6C9CDBB696FDFCABB1315432DF905C7201EA718D0283B4

Function 00669639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00669693
SelectObject.GDI32(?,00000000), ref: 006696A2
BeginPath.GDI32(?), ref: 006696B9
SelectObject.GDI32(?,00000000), ref: 006696E2

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6a6f6c32d0d29a239e564ae52fc97c22b6e468b34d980e91076eeab14aba3879
Instruction ID: c354f3274f8e3192646235608b34e075c3a0dbbf5839bad27f4254dc440163e7
Opcode Fuzzy Hash: 6a6f6c32d0d29a239e564ae52fc97c22b6e468b34d980e91076eeab14aba3879
Instruction Fuzzy Hash: D8218370801385EBEF219F24DC547E93B6ABB21325F508219F850D61B1D3746893CFA8

Function 006B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 006B5726
_memcmp.LIBVCRUNTIME ref: 006B5744
_memcmp.LIBVCRUNTIME ref: 006B5757
_memcmp.LIBVCRUNTIME ref: 006B576F
_memcmp.LIBVCRUNTIME ref: 006B5787

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8956af5f32813242e81df1976a414a3a4e3c195b40b9f95f3f8c2ebdc72599c4
Instruction ID: 7e707d69f69945e6fad05f38082924a9c5fd1f7bb1deb475f8a9fb409445d4f5
Opcode Fuzzy Hash: 8956af5f32813242e81df1976a414a3a4e3c195b40b9f95f3f8c2ebdc72599c4
Instruction Fuzzy Hash: 0301D6F1341705BBA21852159D42FFB735F9B217A8B204035FD0A9E241FE20EE5283A4

Function 00682DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0067F2DE,00683863,00721444,?,0066FDF5,?,?,0065A976,00000010,00721440,006513FC,?,006513C6), ref: 00682DFD
_free.LIBCMT ref: 00682E32
_free.LIBCMT ref: 00682E59
SetLastError.KERNEL32(00000000,00651129), ref: 00682E66
SetLastError.KERNEL32(00000000,00651129), ref: 00682E6F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8348ec88c33ab5d5f18f9df3036690a2ae5c3f221ca7e92f73d0a4c1776c99e7
Instruction ID: b0a0f4628fc2d3a2a1205692f841f6ae059d289b93f9a2c8259811ecb7b49521
Opcode Fuzzy Hash: 8348ec88c33ab5d5f18f9df3036690a2ae5c3f221ca7e92f73d0a4c1776c99e7
Instruction Fuzzy Hash: 2001F97224560277CB1237796CADD6B156FABC1775B21432CF521923D2EF248C025328

Function 006B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006AFF41,80070057,?,?,?,006B035E), ref: 006B002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006AFF41,80070057,?,?), ref: 006B0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006AFF41,80070057,?,?), ref: 006B0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006AFF41,80070057,?), ref: 006B0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006AFF41,80070057,?,?), ref: 006B0070

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: d08f8720f565af72bf0c0668f65d1db14984bb499c8abaaaf3c85f8db0670769
Instruction ID: d1ff4285e14b91e9d3a50f3960d07f2efb345f3ca4c334dfeeb9c427f3a45a92
Opcode Fuzzy Hash: d08f8720f565af72bf0c0668f65d1db14984bb499c8abaaaf3c85f8db0670769
Instruction Fuzzy Hash: 4A018FB2600304BFEB115F68DC44BEB7EAFEB447A1F145124F905D6210D771DD818BA0

Function 006BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 006BE997
QueryPerformanceFrequency.KERNEL32(?), ref: 006BE9A5
Sleep.KERNEL32(00000000), ref: 006BE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 006BE9B7
Sleep.KERNEL32 ref: 006BE9F3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4ee43da02a13216dd6e9b268c1b26f466f9c238c7f3bbbacc303fcb0af017c84
Instruction ID: 29ec19404a1f85c441f6d1a5af1196f518c93114d929f147a2daff24d7716293
Opcode Fuzzy Hash: 4ee43da02a13216dd6e9b268c1b26f466f9c238c7f3bbbacc303fcb0af017c84
Instruction Fuzzy Hash: 9C019E71C0162DDBCF00AFE5DC99AEDBB7AFF09311F004546E502B2240CB35A69ACBA1

Function 006B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006B1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,006B0B9B,?,?,?), ref: 006B1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006B0B9B,?,?,?), ref: 006B112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006B0B9B,?,?,?), ref: 006B1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006B114D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 4ff30d86d61f4fdef89a299c6c1d6e99e0ae323c5515841e31edbb3d3720eabb
Instruction ID: a6f76e8dd05c0aba295c273e26b7722b5fafc735716c51d93d3a60dd9ab8a8e6
Opcode Fuzzy Hash: 4ff30d86d61f4fdef89a299c6c1d6e99e0ae323c5515841e31edbb3d3720eabb
Instruction Fuzzy Hash: A6011D75100305BFDB114F69DC99AAA3B6FEF86360B504419FA45DB350DA31DC419B60

Function 006B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006B0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006B0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006B0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006B0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006B1002

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c8559ac85a7ae2be75a36c77b60537cebdf9dd709f7e181184aefb11d392685c
Instruction ID: 1ed42df352cc8a95d1b8d6bb4ba3788262aef3aa132c80b846de30ebaa4ebd44
Opcode Fuzzy Hash: c8559ac85a7ae2be75a36c77b60537cebdf9dd709f7e181184aefb11d392685c
Instruction Fuzzy Hash: 0EF0A975200345BBDB211FA4DC8DF963BAEEF8A772F500414FE05CA290CA31DC818B60

Function 006B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006B102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006B1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006B1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006B104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006B1062

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 95d141445e27ce4f72995ab612e6b8f978dd636092be6961f0070493ad4114b3
Instruction ID: 135510a07ec6bc9cc393f4a29dd68ec93c871e63990a26fe29e3009dabfce802
Opcode Fuzzy Hash: 95d141445e27ce4f72995ab612e6b8f978dd636092be6961f0070493ad4114b3
Instruction Fuzzy Hash: 1AF04975200345BBDB216FA4EC99F963BAEEF8A771F500414FE45CA290CA71D8819A60

Function 006C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,006C017D,?,006C32FC,?,00000001,00692592,?), ref: 006C0324
CloseHandle.KERNEL32(?,?,?,?,006C017D,?,006C32FC,?,00000001,00692592,?), ref: 006C0331
CloseHandle.KERNEL32(?,?,?,?,006C017D,?,006C32FC,?,00000001,00692592,?), ref: 006C033E
CloseHandle.KERNEL32(?,?,?,?,006C017D,?,006C32FC,?,00000001,00692592,?), ref: 006C034B
CloseHandle.KERNEL32(?,?,?,?,006C017D,?,006C32FC,?,00000001,00692592,?), ref: 006C0358
CloseHandle.KERNEL32(?,?,?,?,006C017D,?,006C32FC,?,00000001,00692592,?), ref: 006C0365

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9a2b4d1796b04a8c4a4225644b77e649938848fa0407c1abd64fddada49a0655
Instruction ID: 1dca13222c0c333bd13a3ffa44974673652e12b7c6f92922257a48712838c1b1
Opcode Fuzzy Hash: 9a2b4d1796b04a8c4a4225644b77e649938848fa0407c1abd64fddada49a0655
Instruction Fuzzy Hash: AD019076800B56DFDB309F66D880962FBFAFE502153158A3ED19A52A31C371A955CE80

Function 0068D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0068D752

Part of subcall function 006829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0068D7D1,00000000,00000000,00000000,00000000,?,0068D7F8,00000000,00000007,00000000,?,0068DBF5,00000000), ref: 006829DE
Part of subcall function 006829C8: GetLastError.KERNEL32(00000000,?,0068D7D1,00000000,00000000,00000000,00000000,?,0068D7F8,00000000,00000007,00000000,?,0068DBF5,00000000,00000000), ref: 006829F0

_free.LIBCMT ref: 0068D764
_free.LIBCMT ref: 0068D776
_free.LIBCMT ref: 0068D788
_free.LIBCMT ref: 0068D79A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 86f58a1fe9426fe02ad2984e6ed8ff06b495ffcab2d3814d561d249c66fdbc83
Instruction ID: ce06dd4d45e2b0b773824925f2ecf3ee45562b81dce0220cfc7eff7896056de3
Opcode Fuzzy Hash: 86f58a1fe9426fe02ad2984e6ed8ff06b495ffcab2d3814d561d249c66fdbc83
Instruction Fuzzy Hash: CEF018325442056B8651FB59F9C5C9677EFBB447107954909F044E7681C738FC404778

Function 006B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 006B5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 006B5C6F
MessageBeep.USER32(00000000), ref: 006B5C87
KillTimer.USER32(?,0000040A), ref: 006B5CA3
EndDialog.USER32(?,00000001), ref: 006B5CBD

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 54cbda8494f288b3bc2137b453536c04c46bbd3eb73c3f3d1339ad64ce91f909
Instruction ID: a06870e598f8ec54288e28da27d7f453249238c0a5367a000b5a45b7a4b2bf39
Opcode Fuzzy Hash: 54cbda8494f288b3bc2137b453536c04c46bbd3eb73c3f3d1339ad64ce91f909
Instruction Fuzzy Hash: F4018170500B44ABEB205B14DD8EFE67BBBBB00B05F00155DB583A50E1DBF0A989CB91

Function 006822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006822BE

Part of subcall function 006829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0068D7D1,00000000,00000000,00000000,00000000,?,0068D7F8,00000000,00000007,00000000,?,0068DBF5,00000000), ref: 006829DE
Part of subcall function 006829C8: GetLastError.KERNEL32(00000000,?,0068D7D1,00000000,00000000,00000000,00000000,?,0068D7F8,00000000,00000007,00000000,?,0068DBF5,00000000,00000000), ref: 006829F0

_free.LIBCMT ref: 006822D0
_free.LIBCMT ref: 006822E3
_free.LIBCMT ref: 006822F4
_free.LIBCMT ref: 00682305

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f598a416fe52376b72ef8dc0af06ecba9a39fb68b3b4d524fc53a3d142b7fd07
Instruction ID: 83fd139b0b8b792cc4a91425b838943417bdbdc8c97ba2b5b816fe9bb79f4fa8
Opcode Fuzzy Hash: f598a416fe52376b72ef8dc0af06ecba9a39fb68b3b4d524fc53a3d142b7fd07
Instruction Fuzzy Hash: 32F030705801518B8B63BF99BC518883BA6B728B50741C60AF410D22B2C73C15539BEC

Function 006695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006695D4
StrokeAndFillPath.GDI32(?,?,006A71F7,00000000,?,?,?), ref: 006695F0
SelectObject.GDI32(?,00000000), ref: 00669603
DeleteObject.GDI32 ref: 00669616
StrokePath.GDI32(?), ref: 00669631

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: dc6d200f63397cd9c1ae1c17b3e287434ea55758d335c9707e50917c15486c38
Instruction ID: 35ebae2cb1f1a3bcf17aa8ded6e9986039f1773814f7fe3ecc58c8f1fa6814a2
Opcode Fuzzy Hash: dc6d200f63397cd9c1ae1c17b3e287434ea55758d335c9707e50917c15486c38
Instruction Fuzzy Hash: E1F019300053C8EBDB265F65ED58BA43B66BB51336F448218F8A5991F0C7399993DF28

Function 00680F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006810F9
__freea.LIBCMT ref: 00681117

Part of subcall function 00681537: _free.LIBCMT ref: 0068154F

Strings

am/pm, xrefs: 0068117A
a/p, xrefs: 006811DE

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a8d0b474e84541972ac8b3c3110198d356020ae9c80bed2c0fb3fe241687ab88
Instruction ID: ad5acc9b0f28f59f6854e0038d91bc4d6a54a253e3a15c7da52fe6b21f3933f3
Opcode Fuzzy Hash: a8d0b474e84541972ac8b3c3110198d356020ae9c80bed2c0fb3fe241687ab88
Instruction Fuzzy Hash: C1D1E031900206CBDB24AF68C859AFAB7BAEF07700F24435AE9459F750D7759E83CB91

Function 006D61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00670242: EnterCriticalSection.KERNEL32(0072070C,00721884,?,?,0066198B,00722518,?,?,?,006512F9,00000000), ref: 0067024D
Part of subcall function 00670242: LeaveCriticalSection.KERNEL32(0072070C,?,0066198B,00722518,?,?,?,006512F9,00000000), ref: 0067028A

Part of subcall function 006700A3: __onexit.LIBCMT ref: 006700A9

__Init_thread_footer.LIBCMT ref: 006D6238

Part of subcall function 006701F8: EnterCriticalSection.KERNEL32(0072070C,?,?,00668747,00722514), ref: 00670202
Part of subcall function 006701F8: LeaveCriticalSection.KERNEL32(0072070C,?,00668747,00722514), ref: 00670235

Part of subcall function 006C359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006C35E4
Part of subcall function 006C359C: LoadStringW.USER32(00722390,?,00000FFF,?), ref: 006C360A

Strings

x#r, xrefs: 006D6353
x#r, xrefs: 006D633A
x#r, xrefs: 006D636F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#r$x#r$x#r
API String ID: 1072379062-2161639933
Opcode ID: 8e1ab810d71413ce0fcdbdaa203cccceb0a534de358743d98dd746882fc58d23
Instruction ID: 06ad3e0889715d15b691f6ae3a8244991abcba6a27812961fd65d2e2872fdc09
Opcode Fuzzy Hash: 8e1ab810d71413ce0fcdbdaa203cccceb0a534de358743d98dd746882fc58d23
Instruction Fuzzy Hash: 57C16B71A00105AFCB24DF98D891EBAB7BAEF48310F14806EF9059B391DB75EE45CB94

Function 00688A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00688B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00688B7A
__dosmaperr.LIBCMT ref: 00688B81

Strings

.g, xrefs: 00688A63

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .g
API String ID: 2434981716-2054203957
Opcode ID: 0b7776b2788b952aaf005eadbcfdb725599679bb84aa6b6a4c56cf9f751329e1
Instruction ID: 47c754e065024c4829b329f52d94e5c22c41c9a0c8e53df7cfcdf44ddf3a0d34
Opcode Fuzzy Hash: 0b7776b2788b952aaf005eadbcfdb725599679bb84aa6b6a4c56cf9f751329e1
Instruction Fuzzy Hash: A7416C70604185AFDB34AF68C880ABD7FA7DFC5304B2883A9F89597643DE358C039794

Function 006B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006B21D0,?,?,00000034,00000800,?,00000034), ref: 006BB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 006B2760

Part of subcall function 006BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 006BB3F8

Part of subcall function 006BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 006BB355
Part of subcall function 006BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,006B2194,00000034,?,?,00001004,00000000,00000000), ref: 006BB365
Part of subcall function 006BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,006B2194,00000034,?,?,00001004,00000000,00000000), ref: 006BB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006B27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006B281A

Strings

@, xrefs: 006B2832

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 1a0bd6159204ab82c21aeb3df1a0214c663830664e942cbe7d626eedec2b2df0
Instruction ID: b4f07f0570cd2744892efe21278ee5ab0566f9ade413384e5fa16e7113924919
Opcode Fuzzy Hash: 1a0bd6159204ab82c21aeb3df1a0214c663830664e942cbe7d626eedec2b2df0
Instruction Fuzzy Hash: 88414FB2900218AFDB10DFA4CD95BDEBBB9EF05700F005059FA55B7181DB706E85CBA4

Function 0068172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\hesaphareketi-01.exe,00000104), ref: 00681769
_free.LIBCMT ref: 00681834
_free.LIBCMT ref: 0068183E

Strings

C:\Users\user\Desktop\hesaphareketi-01.exe, xrefs: 00681760, 00681767, 00681796, 006817CE

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\hesaphareketi-01.exe
API String ID: 2506810119-809479172
Opcode ID: 07709022f215c811f041c11f2efde1d6bf5b3502653a8fe2982a20c506dbe54a
Instruction ID: d395b626011484e0e30bb092a4307cd0635ec4b260afa75d11fd8bfc7ddeb33c
Opcode Fuzzy Hash: 07709022f215c811f041c11f2efde1d6bf5b3502653a8fe2982a20c506dbe54a
Instruction Fuzzy Hash: D43182B1A00218EBDB21EB999885DDEBBFEFB96710B50426AF4049B311D6704E42CB94

Function 006BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006BC306
DeleteMenu.USER32(?,00000007,00000000), ref: 006BC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00721990,00D85C40), ref: 006BC395

Strings

0, xrefs: 006BC2DF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 7e86ef4f75e68699849d4c51efd0da7d4fb09de2f0c34a570a00dbffe3b2d71a
Instruction ID: 20b89518908e2ddb8cb4fdd27d30d2c44268a0f3fe55ca3e32bd63e162618342
Opcode Fuzzy Hash: 7e86ef4f75e68699849d4c51efd0da7d4fb09de2f0c34a570a00dbffe3b2d71a
Instruction Fuzzy Hash: 4141A0B12043419FD720DF24D884F9ABBE6AF85320F04861EF8A5973D1D770AA45CB66

Function 006E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,006ECC08,00000000,?,?,?,?), ref: 006E44AA
GetWindowLongW.USER32 ref: 006E44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006E44D7

Strings

SysTreeView32, xrefs: 006E447C

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 942d4854067cf3951a66a37594264bd34da2a05a9774189a5b37a558ac6d04d7
Instruction ID: 40939d95ea2985762d5431cba6575cca3451066071988e74875b967f2b5bd099
Opcode Fuzzy Hash: 942d4854067cf3951a66a37594264bd34da2a05a9774189a5b37a558ac6d04d7
Instruction Fuzzy Hash: A0319C31211385AFDB208E39DC45BEA77AAEB08334F204319F975932D0DB74AC519B50

Function 006B6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 006B6EED
VariantCopyInd.OLEAUT32(?,?), ref: 006B6F08
VariantClear.OLEAUT32(?), ref: 006B6F12

Strings

*jk, xrefs: 006B6E8B, 006B6E90, 006B6EF8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jk
API String ID: 2173805711-2414420441
Opcode ID: 7f0eefa97400d3d5d551020a5062167f526b7b63f26736bf5fafdebc4a3d1fa0
Instruction ID: 2b658c6618114e7511acfc13e9cd1a4d5ef93c9ee29b9be5a696089185a453a0
Opcode Fuzzy Hash: 7f0eefa97400d3d5d551020a5062167f526b7b63f26736bf5fafdebc4a3d1fa0
Instruction Fuzzy Hash: 33316FB1604245DBCB05AFA5E8919FE77BBFF85301F1004A8F9024B2B1DB389956DB94

Function 006D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,006D3077,?,?), ref: 006D3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006D307A
_wcslen.LIBCMT ref: 006D309B
htons.WSOCK32(00000000,?,?,00000000), ref: 006D3106

Strings

255.255.255.255, xrefs: 006D3095, 006D309A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 0be5af70f5852dde7e89444fd140d79810b2f67fde4ce3f1f6d36d31ca592918
Instruction ID: b7355b909f9d1c7b6b900f239d0b41702866b11a31d35b27e2343899d0d5914f
Opcode Fuzzy Hash: 0be5af70f5852dde7e89444fd140d79810b2f67fde4ce3f1f6d36d31ca592918
Instruction Fuzzy Hash: 4631C439A002129FC720CF68C985EAA77E2EF54318F24805AE9158B392DB71DE46C762

Function 006E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 006E4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 006E4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 006E471A

Strings

msctls_updown32, xrefs: 006E4684

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 579e71da76bbe8b92194502c7d838ca210f5d345e4d905c41acbc06a562ee33d
Instruction ID: 1394f6f1866d6437e957962e710c27164e661822a56557212a809ddf4caf10fc
Opcode Fuzzy Hash: 579e71da76bbe8b92194502c7d838ca210f5d345e4d905c41acbc06a562ee33d
Instruction Fuzzy Hash: 7F2160B5601249AFDB10DF65DCD1DA737AEEF5A3A4B440059FA009B391CB30EC52CAA4

Function 006B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006B961D

Strings

#notrayicon, xrefs: 006B95B7
#requireadmin, xrefs: 006B95D9
#OnAutoItStartRegister, xrefs: 006B95F3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 474ed445dbad0fabc617ee1d06a377bcac2c2b028a17fcdffe5331b7afe8902e
Instruction ID: 1237a96546864692636c4a5c4f600756c49f66ab151594e49cee2cc45ef442d9
Opcode Fuzzy Hash: 474ed445dbad0fabc617ee1d06a377bcac2c2b028a17fcdffe5331b7afe8902e
Instruction Fuzzy Hash: 092138B214421066D331AB25AC06FFB739B9F51300F10802AFB4997242FB519DC6C3B9

Function 006E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006E3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006E3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006E3876

Strings

Listbox, xrefs: 006E380F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 024a8f17e4f14f60d3b951453e50e7799465d0ba2893cf88216d8c2b7dcb3202
Instruction ID: 5f690a6f58847aa96ae6e5391f1e8762af1dd66330a1ba3b2db9bff3eb8a92df
Opcode Fuzzy Hash: 024a8f17e4f14f60d3b951453e50e7799465d0ba2893cf88216d8c2b7dcb3202
Instruction Fuzzy Hash: F7218072611268BBEF218F56CC85EEB376BEF89760F108124F9059B290C675DC52C7A0

Function 006C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006C4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006C4A5C
SetErrorMode.KERNEL32(00000000,?,?,006ECC08), ref: 006C4AD0

Strings

%lu, xrefs: 006C4A6F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: e6169ee8ced887aff7dc8ee9d3cf95ce9886d5699bbeb600790c92bdd7010e14
Instruction ID: d90c0e9df50064d728583e6721acbdc8c1082ed309b00a85c0e1c1ff752acc80
Opcode Fuzzy Hash: e6169ee8ced887aff7dc8ee9d3cf95ce9886d5699bbeb600790c92bdd7010e14
Instruction Fuzzy Hash: 30315071A00209AFDB50DF54C885EAA77F9EF05314F1480A9F905DF252DB71ED46CB61

Function 006E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006E424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006E4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006E4271

Strings

msctls_trackbar32, xrefs: 006E4226

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: bdee7928db72b335f66d9db07f18317f7317aac55f87cf365816051976621cf6
Instruction ID: 49120f2e9e8b8de048d24ecbbcb2a4b9934c4ef350eb5239d38238df35ea0eb2
Opcode Fuzzy Hash: bdee7928db72b335f66d9db07f18317f7317aac55f87cf365816051976621cf6
Instruction Fuzzy Hash: 7C11C131240388BEEF205F39CC46FEB3BA9EF95B64F110124FA55E6190D671D8529B14

Function 006B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00656B57: _wcslen.LIBCMT ref: 00656B6A

Part of subcall function 006B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 006B2DC5
Part of subcall function 006B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 006B2DD6
Part of subcall function 006B2DA7: GetCurrentThreadId.KERNEL32 ref: 006B2DDD
Part of subcall function 006B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 006B2DE4

GetFocus.USER32 ref: 006B2F78

Part of subcall function 006B2DEE: GetParent.USER32(00000000), ref: 006B2DF9

GetClassNameW.USER32(?,?,00000100), ref: 006B2FC3
EnumChildWindows.USER32(?,006B303B), ref: 006B2FEB

Strings

%s%d, xrefs: 006B2FFF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 657e867b12f0e5bdf5b2e5240851967fd9209c54d3b794a39a97b755116ee1fb
Instruction ID: d8885b7d59c0a563d0b98e2826ac343b52b97e87eae69ccd3ed82030cde7462b
Opcode Fuzzy Hash: 657e867b12f0e5bdf5b2e5240851967fd9209c54d3b794a39a97b755116ee1fb
Instruction Fuzzy Hash: 8811C0B13002056BCF547F60CCD5EEE37ABAF94314F044079FD099B292EE30998A8B60

Function 006E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006E58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006E58EE
DrawMenuBar.USER32(?), ref: 006E58FD

Strings

0, xrefs: 006E588F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 418bb07728a74ed546d2714e3af34036776fc22e3693e52d9b3d783b1e302082
Instruction ID: ce05c417952b4ecf26e2b2c5d5dd19b6ba20f9ccb26ee3a3c71aaedbfbb23abd
Opcode Fuzzy Hash: 418bb07728a74ed546d2714e3af34036776fc22e3693e52d9b3d783b1e302082
Instruction Fuzzy Hash: D001A131500388EFDB109F12DC44BEEBBB6FB45364F00809AE849DA251DB308A91DF20

Function 006AD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 006AD3BF
FreeLibrary.KERNEL32 ref: 006AD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 006AD3B9
X64, xrefs: 006AD2A8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 230339fdfe4f9214c50d6dc6695781c5ea1031c930daba30989f09f14c14cd73
Instruction ID: d0b1b7e3dc899769ce2aa045ce770969da81f3ef664e1c1a6aa6d64a36427b74
Opcode Fuzzy Hash: 230339fdfe4f9214c50d6dc6695781c5ea1031c930daba30989f09f14c14cd73
Instruction Fuzzy Hash: CDF055318027219BCB317B104C54AE93723BF13701B548118E903E5A08DB20CE4ACE82

Function 006B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71dfd7b1a01d689efabf9681d4888fed46b2980f987ffead9ebba6723300c927
Instruction ID: 99dfb652a8d12a35290e19a48d05f7c70b9c683c3e50b8ed7c5fd3e8313c6413
Opcode Fuzzy Hash: 71dfd7b1a01d689efabf9681d4888fed46b2980f987ffead9ebba6723300c927
Instruction Fuzzy Hash: 64C12FB5A00216EFDB14CF98C898AEEBBB6FF48714F148598E505DB251D731DE82CB90

Function 006D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006D3459
CoUninitialize.OLE32 ref: 006D3463
VariantInit.OLEAUT32(?), ref: 006D346E
VariantClear.OLEAUT32(?), ref: 006D371B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: f62c71ff33b899b1851702d2138a4495e10277194a5f21985264be7878492ee8
Instruction ID: 7233c99513db0893545048380c26d643b164f85b4f255847073fabf36bea7875
Opcode Fuzzy Hash: f62c71ff33b899b1851702d2138a4495e10277194a5f21985264be7878492ee8
Instruction Fuzzy Hash: 92A14A756043109FC740DF28D485A6AB7E6FF88715F04885EF98A9B362DB30EE05CB96

Function 006B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006EFC08,?), ref: 006B05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006EFC08,?), ref: 006B0608
CLSIDFromProgID.OLE32(?,?,00000000,006ECC40,000000FF,?,00000000,00000800,00000000,?,006EFC08,?), ref: 006B062D
_memcmp.LIBVCRUNTIME ref: 006B064E

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 943610cc26024e6f79e6041a24237166e157d63385f74add4232a29bb4d4319d
Instruction ID: 2228f9080d2735fcb5494b212c43903b5061847005b313ebaecd068e387211de
Opcode Fuzzy Hash: 943610cc26024e6f79e6041a24237166e157d63385f74add4232a29bb4d4319d
Instruction Fuzzy Hash: B88110B1900109EFDB14DF94C984DEEBBBAFF89315F204558F506AB250DB71AE46CB60

Function 00691391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006914C0

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 024e88f3b3a0a8b4829e520617c439fb9c636c0a00fdd31d671ce3b5292efb67
Instruction ID: e2f4dd044911e96d57fb4250412105989e5abb58b1947a3ba6eae6c489b163aa
Opcode Fuzzy Hash: 024e88f3b3a0a8b4829e520617c439fb9c636c0a00fdd31d671ce3b5292efb67
Instruction Fuzzy Hash: D4412C316001025BDF217BF98C45AFE3AEFEF4BB70F344229F429DA692E63489415766

Function 006E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00D8FB78,?), ref: 006E62E2
ScreenToClient.USER32(?,?), ref: 006E6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 006E6382

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 609dc6f2eca25e3b2fc6da7f82470ee9f23ce2a9c07de6150a5cf03b4a3138d7
Instruction ID: faa2b0962ff2df28286475a4a0753bd6d2b85f99ffd557db106cb7b718ddbee4
Opcode Fuzzy Hash: 609dc6f2eca25e3b2fc6da7f82470ee9f23ce2a9c07de6150a5cf03b4a3138d7
Instruction Fuzzy Hash: 3E510974901289EFCF20DF65D8849EE7BB6FF653A0F208159F9559B290D730AD81CB50

Function 006D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 006D1AFD
WSAGetLastError.WSOCK32 ref: 006D1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006D1B8A
WSAGetLastError.WSOCK32 ref: 006D1B94

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 8d6361b54e0b6e338a07e95890e36f4611fe63d865bde391a5c89506b3cc1e2a
Instruction ID: a37976690d3dd8288e57091761b050d01065ba2f20fcbbcc79cf694bdb0e0bc6
Opcode Fuzzy Hash: 8d6361b54e0b6e338a07e95890e36f4611fe63d865bde391a5c89506b3cc1e2a
Instruction Fuzzy Hash: 0D419134600200AFE760AF24C886F6677E6AB85718F54845DF95A9F3D2D7B2ED42CB90

Function 0068B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f8797cd6111cc3750324a9fe6715568bd6be519186a57d2c052f8931209711
Instruction ID: 17d38c8ff294a3e14b42d0f943f9f65f3bb2d94681ddfb394c4d654a93a0b246
Opcode Fuzzy Hash: 65f8797cd6111cc3750324a9fe6715568bd6be519186a57d2c052f8931209711
Instruction Fuzzy Hash: 27412A75A00304AFD724AF78CC42BAA7BEBEF84720F20462EF556DB792D37199018790

Function 006C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006C5783
GetLastError.KERNEL32(?,00000000), ref: 006C57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006C57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006C57FA

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 538ea74a402f031173a76930bf7c87932fab71a813f4f12571b1170ed1ca2f84
Instruction ID: 26cf1b296a7cabd35c118fa7914487e5266328a13ea7705e97e7564cc8b5bf1a
Opcode Fuzzy Hash: 538ea74a402f031173a76930bf7c87932fab71a813f4f12571b1170ed1ca2f84
Instruction Fuzzy Hash: 8F411639600610DFCB11EF15C484A5ABBE2EF89321F19848CEC5AAB362DB31FD45CB95

Function 0068D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00676D71,00000000,00000000,006782D9,?,006782D9,?,00000001,00676D71,?,00000001,006782D9,006782D9), ref: 0068D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0068D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0068D9AB
__freea.LIBCMT ref: 0068D9B4

Part of subcall function 00683820: RtlAllocateHeap.NTDLL(00000000,?,00721444,?,0066FDF5,?,?,0065A976,00000010,00721440,006513FC,?,006513C6,?,00651129), ref: 00683852

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7aeb9ff4a07e8a4ce6e33a594d8dd0fc42b2316f89bde64d351f1e489d960765
Instruction ID: 4cb3dc7838fa0df51f6529037c5109534e50ad062315115aa5557897a10f032d
Opcode Fuzzy Hash: 7aeb9ff4a07e8a4ce6e33a594d8dd0fc42b2316f89bde64d351f1e489d960765
Instruction Fuzzy Hash: E131B372A00216ABDF25AF65DC45EEE7BA6EB41710F054268FC08D7290E735CD51CBA0

Function 006E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 006E5352
GetWindowLongW.USER32(?,000000F0), ref: 006E5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006E5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006E53A8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: c02508e0aa4394f65239f19399256ef8f6d0ef1dad15e0c0e9f6c2069cbf2236
Instruction ID: 56b09b999df61832e2e9755fd99a3766b8640ca5e0dcb87611eb3f625cc1e7fb
Opcode Fuzzy Hash: c02508e0aa4394f65239f19399256ef8f6d0ef1dad15e0c0e9f6c2069cbf2236
Instruction Fuzzy Hash: D6310634A57B88EFEB309B16CC45BE93763AB04394F544001FA12963E1E7B09D419B81

Function 006BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 006BABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 006BAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 006BAC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 006BACC6

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: eff96aa7bf0e5b503682db4fda3385d158e8885932816fe27ef8e1b1d1da64a7
Instruction ID: e9b69f10ddb2581ff34100de424c572a3c617a1199243b857459ebb97227142f
Opcode Fuzzy Hash: eff96aa7bf0e5b503682db4fda3385d158e8885932816fe27ef8e1b1d1da64a7
Instruction Fuzzy Hash: EE3137B0A003586FEF35CBA48C457FE7FA7AB89320F04431AE481963D1D37489C287A2

Function 006E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006E769A
GetWindowRect.USER32(?,?), ref: 006E7710
PtInRect.USER32(?,?,006E8B89), ref: 006E7720
MessageBeep.USER32(00000000), ref: 006E778C

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 3d520e8808a47ddc3c89bf0be3958cdaebbb335cf192478d7a4f62c03433eff2
Instruction ID: 0644a4235164fe8abe518b67a728a38b757f1da0b709d7207e5f5468be6a03b2
Opcode Fuzzy Hash: 3d520e8808a47ddc3c89bf0be3958cdaebbb335cf192478d7a4f62c03433eff2
Instruction Fuzzy Hash: B7418D3460A394DFDF11CF5AD894EA9B7F6FB59314F1980A8E8549B361C730A982CF90

Function 006E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006E16EB

Part of subcall function 006B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006B3A57
Part of subcall function 006B3A3D: GetCurrentThreadId.KERNEL32 ref: 006B3A5E
Part of subcall function 006B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006B25B3), ref: 006B3A65

GetCaretPos.USER32(?), ref: 006E16FF
ClientToScreen.USER32(00000000,?), ref: 006E174C
GetForegroundWindow.USER32 ref: 006E1752

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: bd3f1e2b3f9118baeaf5f6de6ac63f7ce70e53d5f79d9e7d3b91f13e98876742
Instruction ID: a31a1facf34ac2f89f07d65e31a991aab67bd5ab29dc576a1caf391b28b44dab
Opcode Fuzzy Hash: bd3f1e2b3f9118baeaf5f6de6ac63f7ce70e53d5f79d9e7d3b91f13e98876742
Instruction Fuzzy Hash: B6314171D00249AFCB40EFAAC881CEEB7FAEF49314B50806DE415EB251D7319E45CBA0

Function 006BD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 006BD501
Process32FirstW.KERNEL32(00000000,?), ref: 006BD50F
Process32NextW.KERNEL32(00000000,?), ref: 006BD52F
CloseHandle.KERNEL32(00000000), ref: 006BD5DC

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 533268f2dc367ee78c05785ecf2e3d21b5ad8bccc8c168062810969dc2bbd827
Instruction ID: 88d7afa7943415d84b48853c1e322b8b78fb2e98028e15f6ff69cde392d02ca7
Opcode Fuzzy Hash: 533268f2dc367ee78c05785ecf2e3d21b5ad8bccc8c168062810969dc2bbd827
Instruction Fuzzy Hash: 3031BB721083409FD314DF54C885AEF7BF9EF95354F14092DF581871A1EB719949C7A2

Function 006E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00669BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00669BB2

GetCursorPos.USER32(?), ref: 006E9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006A7711,?,?,?,?,?), ref: 006E9016
GetCursorPos.USER32(?), ref: 006E905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006A7711,?,?,?), ref: 006E9094

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 1549269f29239c41ebc6c1ac1540a0818e9f3ccefb6679b28d2c4bba512f3016
Instruction ID: ccbf9b685b39d96ec0e35c73d2e5cda8135542cabe052cd7cf566a9fdeb14c69
Opcode Fuzzy Hash: 1549269f29239c41ebc6c1ac1540a0818e9f3ccefb6679b28d2c4bba512f3016
Instruction Fuzzy Hash: 6021D331601258EFCB258F95CC98EFA3BBAFF4A360F444059F9054B261C335AA91DB70

Function 006BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,006ECB68), ref: 006BD2FB
GetLastError.KERNEL32 ref: 006BD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 006BD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,006ECB68), ref: 006BD376

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 30d2ca2b2478cebd7e874b0a82ca4c2d74f6560209bbb26d67aec567c09974eb
Instruction ID: f323a7a867ae3093dfb9ebf96c2e74027428a82266b703f68c06902bd87053e8
Opcode Fuzzy Hash: 30d2ca2b2478cebd7e874b0a82ca4c2d74f6560209bbb26d67aec567c09974eb
Instruction Fuzzy Hash: 732186B0505301DFC714DF24C8814EA77E6EE56764F104A1DF895CB2A2EB31D98ACB97

Function 006B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006B102A
Part of subcall function 006B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006B1036
Part of subcall function 006B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006B1045
Part of subcall function 006B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006B104C
Part of subcall function 006B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006B1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006B15BE
_memcmp.LIBVCRUNTIME ref: 006B15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006B1617
HeapFree.KERNEL32(00000000), ref: 006B161E

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 35f946393e8da4e00b34d4830a531fe9f85547146acc9226820ca4272fdf4bcf
Instruction ID: 37ec1cd0ae5b92734dac5bfe0e2de9dae1cc88b24d693f3ef9040b1072379836
Opcode Fuzzy Hash: 35f946393e8da4e00b34d4830a531fe9f85547146acc9226820ca4272fdf4bcf
Instruction Fuzzy Hash: 642190B2E00218FFDF10DFA4C955BEEB7BAEF46354F484459E441AB241E730AA45DB90

Function 006E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006E280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006E2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006E2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 006E2840

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 5940a9fab54ec86b9df8623d540ad5d92e591f2783d5617751072a36f4950228
Instruction ID: 9d5c2d7313007983fbc891dd57d514720ffa75b9a6a3376ba3038b4a5464971b
Opcode Fuzzy Hash: 5940a9fab54ec86b9df8623d540ad5d92e591f2783d5617751072a36f4950228
Instruction Fuzzy Hash: B321C431205792AFD7149B25C855FAA779BAF85324F14815CF8168B6D2C771FC42CB90

Function 006B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,006B790A,?,000000FF,?,006B8754,00000000,?,0000001C,?,?), ref: 006B8D8C
Part of subcall function 006B8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 006B8DB2
Part of subcall function 006B8D7D: lstrcmpiW.KERNEL32(00000000,?,006B790A,?,000000FF,?,006B8754,00000000,?,0000001C,?,?), ref: 006B8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,006B8754,00000000,?,0000001C,?,?,00000000), ref: 006B7923
lstrcpyW.KERNEL32(00000000,?), ref: 006B7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,006B8754,00000000,?,0000001C,?,?,00000000), ref: 006B7984

Strings

cdecl, xrefs: 006B797B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 2b7654b7451b46f4b11e14d78bafacb651dc5cc10d5023c2a9ed3d3115a68a9d
Instruction ID: 06aa1e2b67b6deedc99fca905ef813dfd78df09938fa78f814fe7a0b6e6971ba
Opcode Fuzzy Hash: 2b7654b7451b46f4b11e14d78bafacb651dc5cc10d5023c2a9ed3d3115a68a9d
Instruction Fuzzy Hash: 5211037A200342AFCB15AF38D844DFA77AAFF85350B00402EF802CB3A4EB319851C7A1

Function 006E7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 006E7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 006E7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006E7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,006CB7AD,00000000), ref: 006E7D6B

Part of subcall function 00669BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00669BB2

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 770891f15f83597133b9e6bfd3cf2555b2085c4a22f87ea64064d4a545220e66
Instruction ID: a9ec4f2782af82d4267c9b8235cce4ba89190185d3bca3ccb3c91647130aa68a
Opcode Fuzzy Hash: 770891f15f83597133b9e6bfd3cf2555b2085c4a22f87ea64064d4a545220e66
Instruction Fuzzy Hash: 8C118E31506795AFCB109F29CC44AB63BA6BF45370B159724F835DB2E0E7309952DB50

Function 006E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 006E56BB
_wcslen.LIBCMT ref: 006E56CD
_wcslen.LIBCMT ref: 006E56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 006E5816

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: fbf1626541224b5d140dd14f32961991904e6ffeff3db230f92d8205ffe10e76
Instruction ID: 3e53a9203b072faace01be95beaf66bc35215c887d9601d7b767eb72328b4374
Opcode Fuzzy Hash: fbf1626541224b5d140dd14f32961991904e6ffeff3db230f92d8205ffe10e76
Instruction Fuzzy Hash: 4411037160179996DF209F62CCC5AEE37ADEF10368F10802AF916DA181EB70CA85CB64

Function 006B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 006B1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006B1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006B1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006B1A8A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c62a4c402195977eb9bbe29104a0ed30387b226257305be28000b5273f635f98
Instruction ID: ff1f37013a7e81ec53c642513246ce3c2915956445718770f1f73706bfd6f84e
Opcode Fuzzy Hash: c62a4c402195977eb9bbe29104a0ed30387b226257305be28000b5273f635f98
Instruction Fuzzy Hash: 3511277A901219FFEB109BA4C985FEDBB79EB08750F200092EA00BB290D6716E51DB94

Function 006BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006BE1FD
MessageBoxW.USER32(?,?,?,?), ref: 006BE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006BE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006BE24D

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: a55356eca1d6595e6b8df77ea84a5833e6e9ab4d1e5a7fdb6b18aafe30814061
Instruction ID: 8ec302a74391c46f444588a466ffbb1c3231f8a6d1891b8141f867bb19d04f96
Opcode Fuzzy Hash: a55356eca1d6595e6b8df77ea84a5833e6e9ab4d1e5a7fdb6b18aafe30814061
Instruction Fuzzy Hash: 5B1144B2D04244BFC710DBA89C49ADE3FAEAB41320F008219F924E3281D2B6CE4187A0

Function 0067D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0067CFF9,00000000,00000004,00000000), ref: 0067D218
GetLastError.KERNEL32 ref: 0067D224
__dosmaperr.LIBCMT ref: 0067D22B
ResumeThread.KERNEL32(00000000), ref: 0067D249

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 137ace452a6d1cb95c657b15a692470c36f709981e2107f85aefcb2d0adc597d
Instruction ID: 1b436b73d88f37f72a1192313d294db544d635f70f8cbb300fcffd6e98b560c8
Opcode Fuzzy Hash: 137ace452a6d1cb95c657b15a692470c36f709981e2107f85aefcb2d0adc597d
Instruction Fuzzy Hash: 5901D236805204BBCB116BA5DC09BEA7A7BDF81731F208619FA39961D1CB708A02C7A0

Function 0065600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0065604C
GetStockObject.GDI32(00000011), ref: 00656060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0065606A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: cf0d40e649dcf800ddc173f195d8ad180bf1aeaed9bbc086cda0b64c4944bd8c
Instruction ID: 6adb2a5bc5cd0f358b2aa2160c3b9f255a8389ef92d7a083536b886e43fa332c
Opcode Fuzzy Hash: cf0d40e649dcf800ddc173f195d8ad180bf1aeaed9bbc086cda0b64c4944bd8c
Instruction Fuzzy Hash: 6211AD72101648BFEF124FA4CD94EEABB6AFF083A5F400205FE0457160C7329C61EBA0

Function 00673B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00673B56

Part of subcall function 00673AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00673AD2
Part of subcall function 00673AA3: ___AdjustPointer.LIBCMT ref: 00673AED

_UnwindNestedFrames.LIBCMT ref: 00673B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00673B7C
CallCatchBlock.LIBVCRUNTIME ref: 00673BA4

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: ca079d8a86f37a092ab089d86a4a51226521ad18528fd97d44191ecc8a7f6e82
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 44014C32100148BBDF125EA5CC46EEB3F6EEF58B54F048018FE5C56221D732E961EBA4

Function 00683073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006513C6,00000000,00000000,?,0068301A,006513C6,00000000,00000000,00000000,?,0068328B,00000006,FlsSetValue), ref: 006830A5
GetLastError.KERNEL32(?,0068301A,006513C6,00000000,00000000,00000000,?,0068328B,00000006,FlsSetValue,006F2290,FlsSetValue,00000000,00000364,?,00682E46), ref: 006830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0068301A,006513C6,00000000,00000000,00000000,?,0068328B,00000006,FlsSetValue,006F2290,FlsSetValue,00000000), ref: 006830BF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d4c50d3dc2b26b23526e8baeded34505a232ef3385fa8f9a04f1ea60ec4c22c0
Instruction ID: cb9c069e7368f1dd8b97214715189c4f9dbf5fecd2625a83bc3a8c092448f210
Opcode Fuzzy Hash: d4c50d3dc2b26b23526e8baeded34505a232ef3385fa8f9a04f1ea60ec4c22c0
Instruction Fuzzy Hash: 06018432751332ABCB315BB99C849A77B9AAF45FB1B114720F915EB380D721DA02C7E0

Function 006B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 006B747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006B7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006B74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006B74CA

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 7157ffb1be683388330b1181f97f3a8d43fcf83d1e886a91f44c391a1f4ff5b9
Instruction ID: e943e758efebd70398bdcafa8b485637525d51327c1250d5180540920c6dd882
Opcode Fuzzy Hash: 7157ffb1be683388330b1181f97f3a8d43fcf83d1e886a91f44c391a1f4ff5b9
Instruction Fuzzy Hash: D311ADF1205314ABE720CF14DC48FD27BFEEB80B11F108569EA2ADA191D7B0E985DB60

Function 006BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,006BACD3,?,00008000), ref: 006BB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,006BACD3,?,00008000), ref: 006BB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,006BACD3,?,00008000), ref: 006BB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,006BACD3,?,00008000), ref: 006BB126

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 19e77acfc760329629ecec70df245e289f69a7614d638e0ffa399598af6ac073
Instruction ID: 52c08ba1df1c411c87e0b917f003d4788e0d0ce4c80df0dd903ca815934f995d
Opcode Fuzzy Hash: 19e77acfc760329629ecec70df245e289f69a7614d638e0ffa399598af6ac073
Instruction Fuzzy Hash: C6116D71C0162CE7CF00AFE8E9986FEBB79FF0A721F105089D941B6285CBB096918B55

Function 006B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 006B2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 006B2DD6
GetCurrentThreadId.KERNEL32 ref: 006B2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 006B2DE4

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ccb91aeb7810994fbf26273a6da296c7d0b58a1aa8d1eb4d770782d70e929227
Instruction ID: c33fb758003fa2120518bf50609377e7b02219514da59986cbb52f1e6fd39d4f
Opcode Fuzzy Hash: ccb91aeb7810994fbf26273a6da296c7d0b58a1aa8d1eb4d770782d70e929227
Instruction Fuzzy Hash: F7E092B2141324BBDB201B729C4DFEB7FAEEF42BB1F001019F105D50809AA0C882D7B0

Function 006E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00669639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00669693
Part of subcall function 00669639: SelectObject.GDI32(?,00000000), ref: 006696A2
Part of subcall function 00669639: BeginPath.GDI32(?), ref: 006696B9
Part of subcall function 00669639: SelectObject.GDI32(?,00000000), ref: 006696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 006E8887
LineTo.GDI32(?,?,?), ref: 006E8894
EndPath.GDI32(?), ref: 006E88A4
StrokePath.GDI32(?), ref: 006E88B2

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: ce9cc8e70e10a3f375bdba39f88198c76d9c9427ec6c3af9f672f26464e3c8d1
Instruction ID: 34b69e29471d32af14d50ee93f97794cd34db43e824aa69695ede4ed89c2a490
Opcode Fuzzy Hash: ce9cc8e70e10a3f375bdba39f88198c76d9c9427ec6c3af9f672f26464e3c8d1
Instruction Fuzzy Hash: F7F03A36042398BAEB125F94AC09FCA3A5AAF16320F448004FE11691E1C7795552CBA9

Function 006698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006698CC
SetTextColor.GDI32(?,?), ref: 006698D6
SetBkMode.GDI32(?,00000001), ref: 006698E9
GetStockObject.GDI32(00000005), ref: 006698F1

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 6aa2f487a9bb9e352665bc3539a06f6e18499843892d7e8b04278deba8bb4bb8
Instruction ID: 288a0338cb435bd1de2d42bede9cd5c945246288a2aae1dc48a368e3623693d1
Opcode Fuzzy Hash: 6aa2f487a9bb9e352665bc3539a06f6e18499843892d7e8b04278deba8bb4bb8
Instruction Fuzzy Hash: 98E06D31244780AADB215B78EC49BE83F62EB12336F048219F6FA581E1C7714A559F20

Function 006B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 006B1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,006B11D9), ref: 006B163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006B11D9), ref: 006B1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,006B11D9), ref: 006B164F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 31956d0b8f8574a81d0e27eebf7b9330e30715acbbea8c8fdda5e085ab659fa3
Instruction ID: 59f0a6ad0c96b29788c9c8cf772462875b91e61b36d73fc050e94adf069f55bc
Opcode Fuzzy Hash: 31956d0b8f8574a81d0e27eebf7b9330e30715acbbea8c8fdda5e085ab659fa3
Instruction Fuzzy Hash: 2CE04672602311EBD7201BA4AE4DB8A3B6AAF457A2F148808F745CD080E72484828B60

Function 006AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006AD858
GetDC.USER32(00000000), ref: 006AD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006AD882
ReleaseDC.USER32(?), ref: 006AD8A3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9714394c17c5382025e6024ce2aad5eb4ab3bf0b9301092c752b9b8ea1ea0f58
Instruction ID: fe134850df5083ea982d0dcfe0f9223b84205fecc21cc9a1749141d98298d355
Opcode Fuzzy Hash: 9714394c17c5382025e6024ce2aad5eb4ab3bf0b9301092c752b9b8ea1ea0f58
Instruction Fuzzy Hash: 5BE01AB4900304EFCF41AFA4D84C66EBBB3FB48321F109409E816EB250C7384902AF40

Function 006AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006AD86C
GetDC.USER32(00000000), ref: 006AD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006AD882
ReleaseDC.USER32(?), ref: 006AD8A3

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a7d35913ae4d1b67884914679151d27810d0fbbadc745e79d9147f670ce73515
Instruction ID: 898688fb5762ae39f9f6fb38d3bc9b0536f8836728ef1786a528c9d2e03b9c48
Opcode Fuzzy Hash: a7d35913ae4d1b67884914679151d27810d0fbbadc745e79d9147f670ce73515
Instruction Fuzzy Hash: 63E01A74C00300DFCF409FA4D84C66EBBB2BB48321F109408E816EB250C73859029F40

Function 006C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00657620: _wcslen.LIBCMT ref: 00657625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 006C4ED4

Strings

*, xrefs: 006C4E10
LPT, xrefs: 006C4DFB

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: ddb8004e62ad58b5bcd461e78f5d7a0aa7c6121d1aa8de8cc054e6a179c2eb4f
Instruction ID: 7eaded9141a6f5c1f6c054471659ba7932db8b987795bffc0fff8de09e40dbde
Opcode Fuzzy Hash: ddb8004e62ad58b5bcd461e78f5d7a0aa7c6121d1aa8de8cc054e6a179c2eb4f
Instruction Fuzzy Hash: 59914C75A002049FDB14DF58C494FAABBF2EF88304F15809DE85A9B362DB35ED85CB90

Function 0067E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0067E30D

Strings

pow, xrefs: 0067E2E5, 0067E302

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 01511409cca20cbf16cc6d91f454d27cde9e01323d1e77b0672bbd68e45aa5ee
Instruction ID: a1db56a41300e2aad20829b7877bc4406c9c50f5b65f15d281c7f595901cc9d7
Opcode Fuzzy Hash: 01511409cca20cbf16cc6d91f454d27cde9e01323d1e77b0672bbd68e45aa5ee
Instruction Fuzzy Hash: EF515C61A0C20296CB117714C9453F93BA7AF54750F34CAD8E099433A9EB36CD99DF4A

Function 006D7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(006A569E,00000000,?,006ECC08,?,00000000,00000000), ref: 006D78DD

Part of subcall function 00656B57: _wcslen.LIBCMT ref: 00656B6A

CharUpperBuffW.USER32(006A569E,00000000,?,006ECC08,00000000,?,00000000,00000000), ref: 006D783B

Strings

<sq, xrefs: 006D77C8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sq
API String ID: 3544283678-4045450873
Opcode ID: 2cf88c162fe8047f05b662a150a23523fae03bbfa652acce3d5f95a11f5add3c
Instruction ID: 25ac14c69b71667668663f9da2fc7a87494612f9590d9dee1cf45cff3821420d
Opcode Fuzzy Hash: 2cf88c162fe8047f05b662a150a23523fae03bbfa652acce3d5f95a11f5add3c
Instruction Fuzzy Hash: 5C617C72914228AACF44EBE4CCA1DFDB376BF14701F44052AF942A7291FF245A09DBA5

Function 0066E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0066E1B1

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ecbf1ec8299e26a9e2fb4ead6cac29f5f3f7cb737720a5db8a6bda69ede4de94
Instruction ID: 58e58c6021b2775f0113edccd7c6f4caa033b1a651cd6cce1ea4b0973406b949
Opcode Fuzzy Hash: ecbf1ec8299e26a9e2fb4ead6cac29f5f3f7cb737720a5db8a6bda69ede4de94
Instruction Fuzzy Hash: 3D511279500246DFDB19EF28C4916FA7BABEF56310F244059EC919B3C0DA36DE46CBA0

Function 0066F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0066F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0066F2BB

Strings

@, xrefs: 0066F2AF

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f270c4889641e67ae8eac70c31b872a31de1394cfcf3ff4f2c3fa27c4b4402ed
Instruction ID: c719b54888bc59047aaae9da9aff9ff8ec641f605e0fc289abf16432336881c3
Opcode Fuzzy Hash: f270c4889641e67ae8eac70c31b872a31de1394cfcf3ff4f2c3fa27c4b4402ed
Instruction Fuzzy Hash: 0C5135714087449BD360AF10EC86BAFBBF9FF84311F81885DF5D9411A5EB309529CB6A

Function 006D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006D57E0
_wcslen.LIBCMT ref: 006D57EC

Strings

CALLARGARRAY, xrefs: 006D57E6, 006D57EB

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 8473af9e8bc2bad8e4bc014a1d39aeb5a34276b3c10bb1a7ccff5f87ee96d148
Instruction ID: 3e99cfcee0a40f78f4fcfa091a9339df9c9280349ada86d4e3ad87f5f3a34d90
Opcode Fuzzy Hash: 8473af9e8bc2bad8e4bc014a1d39aeb5a34276b3c10bb1a7ccff5f87ee96d148
Instruction Fuzzy Hash: C1419F71E002199FCB14DFA9C8858EEBBB6FF59324F10406EE506A7351EB349D81DB90

Function 006CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006CD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006CD13A

Strings

|, xrefs: 006CD10B

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6b860e58a8426a759fd1b90275a9ddff8df916f38803fb39fa52ac43a311f982
Instruction ID: 8ef7ca3bffc1104f4799681777ed92f17146bdf0d3cae07b0d2740d1082526b6
Opcode Fuzzy Hash: 6b860e58a8426a759fd1b90275a9ddff8df916f38803fb39fa52ac43a311f982
Instruction Fuzzy Hash: 70310971D01209ABCF55EFA4CC85EEE7FBAFF04304F000029F815A6265D731AA46CB54

Function 006E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 006E3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006E365C

Strings

static, xrefs: 006E35BC

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b7b99ab007c6feb6af59f479e5574d22f2c9b3c23ac5c15420bc5c02a960359e
Instruction ID: 0435fe1912508370ee73de48ad51ec1752d2822ce67c859b7236d6b8fe2009bc
Opcode Fuzzy Hash: b7b99ab007c6feb6af59f479e5574d22f2c9b3c23ac5c15420bc5c02a960359e
Instruction Fuzzy Hash: FA318C71110344AEDB109F79DC85AFB73AAFF88720F10961DF8A597280DA31AD82D764

Function 006E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 006E461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006E4634

Strings

', xrefs: 006E458E

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 39261f41eee8505fb7317690fbd67b4b859395a6181bf3ebc2e8e35402b94c0d
Instruction ID: 05d352d3aa945959b4bd7bf07d8062a90a9b2512f718ed6ee8a47f07ef7f601f
Opcode Fuzzy Hash: 39261f41eee8505fb7317690fbd67b4b859395a6181bf3ebc2e8e35402b94c0d
Instruction Fuzzy Hash: 7F312C74A023599FDF14CFAAC990BDA7BB6FF49340F144069E905AB351DB70A942CF90

Function 006E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006E327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006E3287

Strings

Combobox, xrefs: 006E3249

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 849ddf4dd9087b0d554254b8899f8ff8f1fbf98355dfef768c18a26de37972ab
Instruction ID: c624513b46522c5c7074b3d4c3f2d5893f7aea26d92c8826cd501fbb34469c5c
Opcode Fuzzy Hash: 849ddf4dd9087b0d554254b8899f8ff8f1fbf98355dfef768c18a26de37972ab
Instruction Fuzzy Hash: 5711D0712012586FEF219F55DC88EEB37ABEB94364F104128FA5897390D6319E518760

Function 006E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0065600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0065604C
Part of subcall function 0065600E: GetStockObject.GDI32(00000011), ref: 00656060
Part of subcall function 0065600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0065606A

GetWindowRect.USER32(00000000,?), ref: 006E377A
GetSysColor.USER32(00000012), ref: 006E3794

Strings

static, xrefs: 006E3757

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 8987735f5a8efb17c61719c062599b925a890272ffba6023ba91fdb73b602fb7
Instruction ID: 5741c4c93f9d2554ffeb95fd6074904a27e31d27ecc95d799b59daa4fea6c0e7
Opcode Fuzzy Hash: 8987735f5a8efb17c61719c062599b925a890272ffba6023ba91fdb73b602fb7
Instruction Fuzzy Hash: C41159B2610259AFDF10DFA8CC49AEA7BBAFB08314F004514F955E3250D734E811DB50

Function 006CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006CCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006CCDA6

Strings

<local>, xrefs: 006CCD66

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 94225ed7f6a68a4a4b22ce8478955d63a9eefd8d6e6fd77608bfcaadd0b7f011
Instruction ID: b39e85baf65088a078f220c9b30863da062e1cbb6ae1657fc0a1a3efb890173d
Opcode Fuzzy Hash: 94225ed7f6a68a4a4b22ce8478955d63a9eefd8d6e6fd77608bfcaadd0b7f011
Instruction Fuzzy Hash: AA11A371605632BAD7244B669C85FF7BE6AEF527B4F00422AF10E87180D674A841D6F0

Function 006E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006E34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006E34BA

Strings

edit, xrefs: 006E348F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 34747e96e80379e6786feb7b266689a57e1bc931b96d166ad87ad52902a2fcc2
Instruction ID: c54a1c039dc4d5a77e57fe7306773c15c3af4e780d6f361b24653ecf0661c3cd
Opcode Fuzzy Hash: 34747e96e80379e6786feb7b266689a57e1bc931b96d166ad87ad52902a2fcc2
Instruction Fuzzy Hash: 35119D71101398EAEB128E65DC88AEB37ABEB05374F504324F960973D0C731DD529B50

Function 006B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

CharUpperBuffW.USER32(?,?,?), ref: 006B6CB6
_wcslen.LIBCMT ref: 006B6CC2

Strings

STOP, xrefs: 006B6CBC, 006B6CC1

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d201fe7b18bf335ee27f49e2229294165230da84a837952450c9806fb9346d8a
Instruction ID: 6e5e7bd49e91434f17bb302e2b491c6e17604dce7ee37cab27697e235906ec08
Opcode Fuzzy Hash: d201fe7b18bf335ee27f49e2229294165230da84a837952450c9806fb9346d8a
Instruction Fuzzy Hash: 810104726105268BCB209FBDCC918FF3BB7EE61710B000928F85296290EB39D885C750

Function 006B1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

Part of subcall function 006B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 006B3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 006B1D4C

Strings

ComboBox, xrefs: 006B1CEB
ListBox, xrefs: 006B1D16

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 361d56875c737278c526b6b0cb8d42d3c251fb169e657a8db252b27bcfffde4f
Instruction ID: 58f427eabe91fc2db2dd15dae205af557d283f339cc58e0ee8ce66573a6342af
Opcode Fuzzy Hash: 361d56875c737278c526b6b0cb8d42d3c251fb169e657a8db252b27bcfffde4f
Instruction Fuzzy Hash: 2E01B5B5601228AB8B18EBA4CC61CFE776AEF47350B54091DA8225B3C1EA30594D8760

Function 006B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

Part of subcall function 006B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 006B3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 006B1C46

Strings

ComboBox, xrefs: 006B1BE5
ListBox, xrefs: 006B1C10

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 661faf3ab13a148e61db7e80dd5611acda19cc757c54e8bdd319d5ceaf76657f
Instruction ID: 82f23b012a5538e9030fc5caff958943cfd4df57e1d3a65dd38748ccd1cdb18b
Opcode Fuzzy Hash: 661faf3ab13a148e61db7e80dd5611acda19cc757c54e8bdd319d5ceaf76657f
Instruction Fuzzy Hash: 1101F7F5780104B6CB18EB90C962DFF7BAA9B12340F50041DA9066B2C2EB249E4C87B5

Function 006B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

Part of subcall function 006B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 006B3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 006B1CC8

Strings

ComboBox, xrefs: 006B1C69
ListBox, xrefs: 006B1C94

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d9ff0c8a2d6330e1bcec0a7fcfaf70a371d7429a2d72c4841f06cb540157bfc6
Instruction ID: 592562e73a80e63568bee34b37826d734efb2d180b9a101d4e882e59ab8fe21c
Opcode Fuzzy Hash: d9ff0c8a2d6330e1bcec0a7fcfaf70a371d7429a2d72c4841f06cb540157bfc6
Instruction Fuzzy Hash: 0601A7F5780114B6CB14E794CA11AFE7BAA9B12340F540419BC0177282EB249F498775

Function 0066A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0066A529

Part of subcall function 00659CB3: _wcslen.LIBCMT ref: 00659CBD

Strings

3yj, xrefs: 0066A545, 0066A54D, 0066A552
,%r, xrefs: 0066A509

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%r$3yj
API String ID: 2551934079-468026085
Opcode ID: 4132b9de481b9dad570c868b82e68202d9105a538bfdcd59e9b0491e427aa147
Instruction ID: 743928a0549bf9d9692b4cfae6bc55d9a6de1ec4eace251050eee58a5d2e1c77
Opcode Fuzzy Hash: 4132b9de481b9dad570c868b82e68202d9105a538bfdcd59e9b0491e427aa147
Instruction Fuzzy Hash: 9C014731600210D7C500F3A8DC17A9D33579B44720F5080ACF506672C3EE109D028EEF

Function 006E8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00723018,0072305C), ref: 006E81BF
CloseHandle.KERNEL32 ref: 006E81D1

Strings

\0r, xrefs: 006E818A

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0r
API String ID: 3712363035-4222232613
Opcode ID: fd23ce3a37e0db7c1aa6f4c0fcc3f3b1c7a1f85528d860449b739c9c654351c3
Instruction ID: 45600cae8b77503f87e39cbb4aa0bb255ed2c547c2c15d26fd4a2f49ab495a32
Opcode Fuzzy Hash: fd23ce3a37e0db7c1aa6f4c0fcc3f3b1c7a1f85528d860449b739c9c654351c3
Instruction Fuzzy Hash: 73F05EB1640310BEF3306765AC45FB73A5EEB04761F008425BB0CDA1A2D67E8A0186BC

Function 006D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006D7493
_wcslen.LIBCMT ref: 006D74B9

Strings

3, 3, 16, 1, xrefs: 006D7483

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a38cc1d9ce1b9f15efbdd1a0a99c4309ec51f8ed21e8c835a064d447b89b5e78
Instruction ID: 24063f0b3a7491ed1784f76f31b53466ad969fa92771e2721d2df6ccc38708a3
Opcode Fuzzy Hash: a38cc1d9ce1b9f15efbdd1a0a99c4309ec51f8ed21e8c835a064d447b89b5e78
Instruction Fuzzy Hash: 08E02B02A0422011937212799CC59BF57CBCFC5750710182FFA89C2366FF948D9193E6

Function 006B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006B0B23

Strings

AutoIt, xrefs: 006B0B17
Error allocating memory., xrefs: 006B0B1C

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 0fa346191375113a04099c3aab7a1b10f8e917b8c9d5283ea0e30b7438ef374c
Instruction ID: ecb1258c3f24f7641bda76c386f2f9fe2ee2227b692b7f909422c2a740485531
Opcode Fuzzy Hash: 0fa346191375113a04099c3aab7a1b10f8e917b8c9d5283ea0e30b7438ef374c
Instruction Fuzzy Hash: 03E0D83128534836D2543755BC07FC97E878F05F31F10042EFB58955C38BE268D046AD

Function 00670D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0066F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00670D71,?,?,?,0065100A), ref: 0066F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0065100A), ref: 00670D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0065100A), ref: 00670D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00670D7F

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 5fb0c9475f004186b2b9e22b09790ebf891d406ea7dafeefde97b856af04410b
Instruction ID: a4da9176a322873356c3910c1322daa564f5b39dcfd2056ffb2114e5a8a0363b
Opcode Fuzzy Hash: 5fb0c9475f004186b2b9e22b09790ebf891d406ea7dafeefde97b856af04410b
Instruction Fuzzy Hash: BEE06D702003818FE3709FB9E8483427BE2BF10744F00892DE486CA651DBB5E4498BA1

Function 0066E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0066E3D5

Strings

8%r, xrefs: 0066E3CA
0%r, xrefs: 0066E3B5

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%r$8%r
API String ID: 1385522511-2997621168
Opcode ID: 83cf61958f44a414060dba8bede4eb435ed67b8fea457c0eb20d2a681494ed31
Instruction ID: 0888b040acbda81cca4028292e5178b788fe109de303f9314db7961ab6d9313d
Opcode Fuzzy Hash: 83cf61958f44a414060dba8bede4eb435ed67b8fea457c0eb20d2a681494ed31
Instruction Fuzzy Hash: 8BE02639808A20EBCA14971DF854A883357AF04320B90C1F8E012AB3D3DB3DA8438A5C

Function 006AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006AD220

Strings

%.3d, xrefs: 006AD22B
X64, xrefs: 006AD2A8

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a329b755c1a19083905634fdeba7fca1e533fdc3fdc97a95676bc84b8261e4e8
Instruction ID: b856880de8f40bb3d3b0c7906a7e1d2737ec40eb3584328401a53fc9648987d1
Opcode Fuzzy Hash: a329b755c1a19083905634fdeba7fca1e533fdc3fdc97a95676bc84b8261e4e8
Instruction Fuzzy Hash: ECD012A1C08109E9CB90A7D0DC45AF9B37EBB09301F508452FA0791440D624CF4AEF61

Function 006E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006E236C
PostMessageW.USER32(00000000), ref: 006E2373

Part of subcall function 006BE97B: Sleep.KERNEL32 ref: 006BE9F3

Strings

Shell_TrayWnd, xrefs: 006E2365

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 687ff6e310d467efc4af5bdf133128c92cbbf935d5f8e63a75933bfe4d5fa91b
Instruction ID: 5f3d565a9eac5deb7191a27e9c9b934387eb1960e88cef1cd1a8db17c54cc193
Opcode Fuzzy Hash: 687ff6e310d467efc4af5bdf133128c92cbbf935d5f8e63a75933bfe4d5fa91b
Instruction Fuzzy Hash: FFD0C976381350BAE7A4B7709C4FFC666169B04B20F0059167645AA1D0C9A4B8468A58

Function 006E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006E232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006E233F

Part of subcall function 006BE97B: Sleep.KERNEL32 ref: 006BE9F3

Strings

Shell_TrayWnd, xrefs: 006E2325

Memory Dump Source

Source File: 00000000.00000002.1359317424.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.1359296060.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359497148.0000000000712000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359542854.000000000071C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000724000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359561603.0000000000757000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_hesaphareketi-01.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 486882e0b3a79e8230b04dce0e4f0aad5bb4ca945c738548edc51b443ab62f50
Instruction ID: 95e40ef9d03fda6543f9d6e311548f4b57c13384d782e8968097984b7c98abe2
Opcode Fuzzy Hash: 486882e0b3a79e8230b04dce0e4f0aad5bb4ca945c738548edc51b443ab62f50
Instruction Fuzzy Hash: 24D0C976395350BAE7A4B7709C4FFC66A169B00B20F0059167645AA1D0C9A4A8468A54

Source: unknown	Process created: C:\Users\user\Desktop\hesaphareketi-01.exe "C:\Users\user\Desktop\hesaphareketi-01.exe"
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process created: C:\Users\user\AppData\Local\directory\svchost.exe "C:\Users\user\Desktop\hesaphareketi-01.exe"
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\hesaphareketi-01.exe"
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Users\user\AppData\Local\directory\svchost.exe "C:\Users\user\AppData\Local\directory\svchost.exe"
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\svchost.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\svchost.exe "C:\Users\user\AppData\Local\directory\svchost.exe"
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\svchost.exe"
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Users\user\AppData\Local\directory\svchost.exe "C:\Users\user\AppData\Local\directory\svchost.exe"
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\svchost.exe"
Source: C:\Users\user\Desktop\hesaphareketi-01.exe	Process created: C:\Users\user\AppData\Local\directory\svchost.exe "C:\Users\user\Desktop\hesaphareketi-01.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\hesaphareketi-01.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Users\user\AppData\Local\directory\svchost.exe "C:\Users\user\AppData\Local\directory\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\svchost.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\svchost.exe "C:\Users\user\AppData\Local\directory\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Users\user\AppData\Local\directory\svchost.exe "C:\Users\user\AppData\Local\directory\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\svchost.exe"	Jump to behavior

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hesaphareketi-01.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut4B09.tmp

C:\Users\user\AppData\Local\Temp\aut4B67.tmp

C:\Users\user\AppData\Local\Temp\aut50F4.tmp

C:\Users\user\AppData\Local\Temp\aut5143.tmp

C:\Users\user\AppData\Local\Temp\aut5634.tmp

C:\Users\user\AppData\Local\Temp\aut5683.tmp

C:\Users\user\AppData\Local\Temp\aut82B3.tmp

C:\Users\user\AppData\Local\Temp\aut82F2.tmp

C:\Users\user\AppData\Local\Temp\aut886F.tmp

C:\Users\user\AppData\Local\Temp\aut89E7.tmp

C:\Users\user\AppData\Local\Temp\nonsubmerged

C:\Users\user\AppData\Local\Temp\ophiolatrous

Windows Analysis Report
hesaphareketi-01.exe

Function 006542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 006542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00692BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre